UbuntuUpdates.org

Package "python3.12"

Name: python3.12

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • IDE for Python (v3.12) using Tkinter
  • Testsuite for the Python standard library (v3.12)
  • Python Interpreter with complete class library (version 3.12)
  • Python interpreter linked without PIE (version 3.12)
Latest version: 3.12.7-1ubuntu2.2
Release: oracular (24.10)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "python3.12" in Oracular

Repository Area Version
base universe 3.12.7-1
base main 3.12.7-1
security main 3.12.7-1ubuntu2.2
updates main 3.12.7-1ubuntu2.2
updates universe 3.12.7-1ubuntu2.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.12.7-1ubuntu2.2 2025-06-19 18:09:03 UTC

  python3.12 (3.12.7-1ubuntu2.2) oracular-security; urgency=medium

  * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper
    tar filtering.
    - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in
      ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter
      to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and
      unfiltered to ./Lib/tarfile.py. Modify tests.
    - CVE-2024-12718
    - CVE-2025-4138
    - CVE-2025-4330
    - CVE-2025-4435
    - CVE-2025-4517

 -- Hlib Korzhynskyy <email address hidden> Wed, 18 Jun 2025 10:46:51 -0230
Source diff to previous version
CVE-2024-12718 Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extrac
CVE-2025-4138 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4330 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4435 When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extrac
CVE-2025-4517 Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if

Version: 3.12.7-1ubuntu2.1 2025-06-16 14:07:07 UTC

  python3.12 (3.12.7-1ubuntu2.1) oracular-security; urgency=medium

  * SECURITY UPDATE: DoS via bytes.decode with unicode_escape
    - debian/patches/CVE-2025-4516.patch: fix use-after-free in the
      unicode-escape decoder with an error handler in
      Include/internal/pycore_bytesobject.h,
      Include/internal/pycore_unicodeobject.h,
      Lib/test/test_codeccallbacks.py, Lib/test/test_codecs.py,
      Objects/bytesobject.c, Objects/unicodeobject.c,
      Parser/string_parser.c.
    - CVE-2025-4516

 -- Marc Deslauriers <email address hidden> Mon, 26 May 2025 12:48:09 -0400
Source diff to previous version
CVE-2025-4516 There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding

Version: 3.12.7-1ubuntu2 2025-02-20 23:07:33 UTC

  python3.12 (3.12.7-1ubuntu2) oracular-security; urgency=medium

  * SECURITY UPDATE: urlparse does not flag hostname with square brackets
    as incorrect
    - debian/patches/CVE-2025-0938.patch: disallow square brackets in
      domain names for parsed URLs in Lib/test/test_urlparse.py,
      Lib/urllib/parse.py.
    - CVE-2025-0938

 -- Marc Deslauriers <email address hidden> Tue, 04 Feb 2025 09:46:03 -0500
Source diff to previous version
CVE-2025-0938 The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid ac

Version: 3.12.7-1ubuntu1.1 2025-01-20 18:07:57 UTC

  python3.12 (3.12.7-1ubuntu1.1) oracular-security; urgency=medium

  * SECURITY UPDATE: memory exhaustion issue in asyncio
    - debian/patches/CVE-2024-12254.patch: ensure to pause the protocol if
      needed in Lib/asyncio/selector_events.py,
      Lib/test/test_asyncio/test_selector_events.py.
    - CVE-2024-12254

 -- Marc Deslauriers <email address hidden> Fri, 17 Jan 2025 11:55:27 -0500
Source diff to previous version
CVE-2024-12254 Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain t

Version: 3.12.7-1ubuntu1 2024-11-19 15:07:23 UTC

  python3.12 (3.12.7-1ubuntu1) oracular-security; urgency=medium

  * SECURITY UPDATE: incorrect quoting in venv module
    - debian/patches/CVE-2024-9287.patch: quote template strings in venv
      activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,
      Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,
      Lib/venv/scripts/posix/activate.csh,
      Lib/venv/scripts/posix/activate.fish.
    - CVE-2024-9287

 -- Marc Deslauriers <email address hidden> Wed, 06 Nov 2024 13:29:01 -0500
CVE-2024-9287 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted pro


About   -   Send Feedback to @ubuntu_updates