CVE-2025-15367 CVE-2026-0672 CVE-2026-0865 CVE-2026-1299
This upload fixes a regression introduced in 3.9.2-1+deb11u4 (DLA 4445-1), and also fixes multiple security issues in cPython 3.9.
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm was quadratic. Availability could be impacted when building
excessively nested documents.
The fix for this CVE in the previous upload resulted in a regression
in software relying on ownerDocument attribute being always present
in Element instances. This regression has now been fixed.
CVE-2026-0672, CVE-2026-0865, CVE-2025-15282, CVE-2025-15366, CVE-2025-15367
These are all similar vulnerabilities in the following modules:
http.cookies, wsgiref.headers, imaplib, poplib, urllib. In each of
these control characters were handled incorrectly, allowing injection
of additional cookiers, headers or commands. Control characters are
now rejected in these contexts.
CVE-2025-11468
An issue similar to the above. Comments consisting of a very long
sequence of non-foldable characters could trigger a forced line wrap
that omitted the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as a new
header field.
CVE-2026-1299
Another header injection issue: email module allowed header injection in the
BytesGenerator class. BytesGenerator will now refuse to serialize headers
that are unsafely folded or delimited.
3.9.2-1+deb11u5