| Package | python2.7 |
|---|---|
| Version | 2.7.13-2+deb9u12 (stretch), 2.7.16-2+deb10u7 (buster) |
| Related CVEs | CVE-2025-6069 CVE-2025-6075 CVE-2025-8194 CVE-2025-12084 CVE-2026-0672 |
Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause HTTP headers injection and denial of service (DoS).
-
CVE-2025-6069
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
-
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
-
CVE-2025-8194
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
-
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
-
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
For Debian 10 buster, these problems have been fixed in version 2.7.16-2+deb10u7.
For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u12.
We recommend that you upgrade your python2.7 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.