Package "python3.12-nopie"
| Name: |
python3.12-nopie
|
Description: |
Python interpreter linked without PIE (version 3.12)
|
| Latest version: |
3.12.3-1ubuntu0.11 |
| Release: |
noble (24.04) |
| Level: |
updates |
| Repository: |
universe |
| Head package: |
python3.12 |
Links
Download "python3.12-nopie"
Other versions of "python3.12-nopie" in Noble
Changelog
|
python3.12 (3.12.3-1ubuntu0.11) noble-security; urgency=medium
* SECURITY UPDATE: Header injection in email messages where addresses are not
sanitized.
- debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash
in Lib/email/_header_value_parser.py. Add test in
Lib/test/test_email/test__header_value_parser.py.
- CVE-2025-11468
* SECURITY UPDATE: Quadratic algorithm when building excessively nested XML
documents.
- debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace
with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument
to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.
- CVE-2025-12084
* SECURITY UPDATE: OOM and denial of service when opening malicious plist
file.
- debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read
with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.
- CVE-2025-13837
* SECURITY UPDATE: Header injection in user controlled data URLs in urllib.
- debian/patches/CVE-2025-15282.patch: Add control character checks in
Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.
* SECURITY UPDATE: Command injection through user controlled commands in
imaplib.
- debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in
Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.
* SECURITY UPDATE: Command injection through user controlled commands in
poplib.
- debian/patches/CVE-2025-15367.patch: Add control character regex check
in Lib/poplib.py. Add test in Lib/test/test_poplib.py.
- CVE-2025-15367
* SECURITY UPDATE: HTTP header injection in user controlled cookie values.
- debian/patches/CVE-2026-0672.patch: Add _control_characters_re and
checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.
- CVE-2026-0672
* SECURITY UPDATE: HTTP header injection in user controlled headers and
values with newlines.
- debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in
Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and
Lib/test/test_wsgiref.py.
- CVE-2026-0865
-- Hlib Korzhynskyy <email address hidden> Thu, 22 Jan 2026 17:27:42 -0330
|
| Source diff to previous version |
| CVE-2025-11468 |
When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be us |
| CVE-2025-12084 |
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadra |
| CVE-2025-13837 |
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues |
| CVE-2025-15282 |
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. |
| CVE-2025-15366 |
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containi |
| CVE-2025-15367 |
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containin |
| CVE-2026-0672 |
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all contro |
| CVE-2026-0865 |
User-controlled header names and values containing newlines can allow injecting HTTP headers. |
|
|
python3.12 (3.12.3-1ubuntu0.10) noble-security; urgency=medium
* SECURITY UPDATE: HTTP Content-Length denial of service
- debian/patches/CVE-2025-13836.patch: Read large data in chunks with
geometric reads in Lib/http/client.py and add tests in
Lib/test/test_httplib.py
- CVE-2025-13836
-- Vyom Yadav <email address hidden> Thu, 08 Jan 2026 17:00:50 +0530
|
| Source diff to previous version |
| CVE-2025-13836 |
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malici |
|
|
python3.12 (3.12.3-1ubuntu0.9) noble-security; urgency=medium
* SECURITY UPDATE: Possible payload obfuscation
- debian/patches/CVE-2025-8291.patch: check consistency of
the zip64 end of central dir record in Lib/zipfile.py,
Lib/test/test_zipfile.py.
- CVE-2025-8291
* SECURITY UPDATE: Performance degradation
- debian/patches/CVE-2025-6075.patch: fix quadratic complexity
in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,
Lib/test/test_genericpatch.py, Lib/test/test_npath.py.
- CVE-2025-6075
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 06 Nov 2025 10:44:16 -0300
|
| Source diff to previous version |
| CVE-2025-8291 |
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locat |
| CVE-2025-6075 |
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. |
|
|
python3.12 (3.12.3-1ubuntu0.8) noble-security; urgency=medium
* SECURITY UPDATE: Regular expression denial of service.
- debian/patches/CVE-2025-6069.patch: Improve regex parsing in
Lib/html/parser.py.
- CVE-2025-6069
* SECURITY UPDATE: Infinite loop when parsing tar archives.
- debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in
Lib/tarfile.py.
- CVE-2025-8194
-- Hlib Korzhynskyy <email address hidden> Thu, 14 Aug 2025 15:17:21 -0230
|
| Source diff to previous version |
| CVE-2025-6069 |
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplifie |
| CVE-2025-8194 |
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process |
|
|
python3.12 (3.12.3-1ubuntu0.7) noble-security; urgency=medium
* SECURITY UPDATE: Arbitrary filesystem and metadata write through improper
tar filtering.
- debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in
./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter
to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and
unfiltered to ./Lib/tarfile.py. Modify tests.
- CVE-2024-12718
- CVE-2025-4138
- CVE-2025-4330
- CVE-2025-4435
- CVE-2025-4517
-- Hlib Korzhynskyy <email address hidden> Wed, 18 Jun 2025 15:29:45 -0230
|
| CVE-2024-12718 |
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extrac |
| CVE-2025-4138 |
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me |
| CVE-2025-4330 |
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me |
| CVE-2025-4435 |
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extrac |
| CVE-2025-4517 |
Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if |
|
About
-
Send Feedback to @ubuntu_updates
