UbuntuUpdates.org

Package "python3.14-nopie"

Name: python3.14-nopie

Description:

Python interpreter linked without PIE (version 3.14)

Latest version: 3.14.4-1ubuntu0.1
Release: resolute (26.04)
Level: updates
Repository: universe
Head package: python3.14

Links


Download "python3.14-nopie"


Other versions of "python3.14-nopie" in Resolute

Repository Area Version
base universe 3.14.4-1
security universe 3.14.4-1ubuntu0.1

Changelog

Version: 3.14.4-1ubuntu0.1 2026-07-06 18:07:39 UTC

  python3.14 (3.14.4-1ubuntu0.1) resolute-security; urgency=medium

  * SECURITY UPDATE: HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF
    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request
      headers in Lib/http/client.py,
      Lib/test/test_httplib.py.
    - CVE-2026-1502
  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time
    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in
      unicodedata.normalize() in Lib/test/test_unicodedata.py,
      Modules/unicodedata.c.
    - CVE-2026-3276
  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete
    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution
      bypass of dash-prefix check in Lib/test/test_webbrowser.py,
      Lib/webbrowser.py.
    - CVE-2026-4786
  * SECURITY UPDATE: insufficient validation of remote debugging offset tables
    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables
      on load in Modules/_remote_debugging_module.c.
    - CVE-2026-5713
  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()
    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values
      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.
    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for
      UTF-8 support in js_output() in Lib/http/cookies.py,
      Lib/test/test_http_cookies.py.
    - CVE-2026-6019
  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders
    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in
      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,
      Modules/_lzmamodule.c, Modules/zlibmodule.c.
    - CVE-2026-6100
  * SECURITY UPDATE: tarfile.data_filter could be bypassed
    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written
      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.
    - CVE-2026-7774
  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189
    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to
      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.
    - CVE-2026-8328
  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error
    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after
      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.
    - CVE-2026-9669

 -- Marc Deslauriers <email address hidden> Thu, 18 Jun 2026 10:25:02 -0400

CVE-2026-1502 CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
CVE-2026-3276 unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with
CVE-2026-4519 The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behav
CVE-2026-4786 Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.
CVE-2026-5713 The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree"
CVE-2026-6019 http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML
CVE-2026-6100 Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `M
CVE-2026-7774 tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive me
CVE-2021-4189 ftplib should not use the host from the PASV response
CVE-2026-8328 The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV ho
CVE-2026-9669 bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same dec



About   -   Send Feedback to @ubuntu_updates