UbuntuUpdates.org

Package "python3.13-full"

Name: python3.13-full

Description:

Python Interpreter with complete class library (version 3.13)
Latest version: 3.13.0-1ubuntu0.3
Release: oracular (24.10)
Level: security
Repository: universe
Head package: python3.13

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3.13-full"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python3.13-full" in Oracular

Repository Area Version
updates universe 3.13.0-1ubuntu0.2

Changelog

Version: 3.13.0-1ubuntu0.3 2025-06-19 18:09:03 UTC

  python3.13 (3.13.0-1ubuntu0.3) oracular-security; urgency=medium

  * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper
    tar filtering.
    - debian/patches/CVE-202x-12718-4138-4x3x-4517-pre1.patch: Add additional
      tests in ./Lib/test/test_ntpath.py and ./Lib/test/test_posixpath.py.
    - debian/patches/CVE-202x-12718-4138-4x3x-4517-pre2.patch: Add part_count
      and checks in ./Lib/posixpath.py.
    - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in
      ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter
      to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and
      unfiltered to ./Lib/tarfile.py. Modify tests.
    - CVE-2024-12718
    - CVE-2025-4138
    - CVE-2025-4330
    - CVE-2025-4435
    - CVE-2025-4517

 -- Hlib Korzhynskyy <email address hidden> Tue, 17 Jun 2025 14:33:05 -0230
Source diff to previous version
CVE-2024-12718 Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extrac
CVE-2025-4138 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4330 Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file me
CVE-2025-4435 When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extrac
CVE-2025-4517 Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if

Version: 3.13.0-1ubuntu0.2 2025-05-21 22:07:17 UTC

  python3.13 (3.13.0-1ubuntu0.2) oracular-security; urgency=medium

  * SECURITY UPDATE: IPv6 and IPvFuture hosts parsing correction
    - debian/patches/CVE-2025-0938.patch: [3.13] gh-105704: Disallow
      square brackets (`[` and `]`) in domain names for parsed URLs (GH-
      129418) (GH-129526)
    - CVE-2025-0938

 -- John Breton <email address hidden> Wed, 14 May 2025 21:26:23 +0200
Source diff to previous version
CVE-2025-0938 The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid ac

Version: 3.13.0-1ubuntu0.1 2025-05-06 15:07:42 UTC

  python3.13 (3.13.0-1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: Command injection
    - debian/patches/CVE-2024-9287.patch: 00443: gh-124651: Quote
      template strings in `venv` activation scripts
    - CVE-2024-9287

 -- John Breton <email address hidden> Fri, 02 May 2025 10:45:16 -0400
CVE-2024-9287 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted pro


About   -   Send Feedback to @ubuntu_updates