| Package | python3.5 |
|---|---|
| Version | 3.5.3-1+deb9u12 (stretch) |
| Related CVEs | CVE-2025-6069 CVE-2025-6075 CVE-2025-8194 CVE-2025-8291 CVE-2025-12084 CVE-2025-13837 CVE-2025-15282 CVE-2026-0672 CVE-2026-1299 |
Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail and HTTP headers injection, validation bypass of .zip archives, and denial of service (DoS).
-
CVE-2025-6069
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
-
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
-
CVE-2025-8194
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
-
CVE-2025-8291
The ‘zipfile’ module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the ‘zipfile’ module compared to other ZIP implementations.
-
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
-
CVE-2025-13837
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues.
-
CVE-2025-15282
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
-
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
-
CVE-2026-1299
The email module, specifically the “BytesGenerator” class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
For Debian 9 stretch, these problems have been fixed in version 3.5.3-1+deb9u12.
We recommend that you upgrade your python3.5 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.