Opened 3 weeks ago

Closed 11 days ago

#5896 closed enhancement (fixed)

Python security fixes: CVE-2026-4224,3644,4519

Reported by: Joe Locash Owned by: Douglas R. Reno
Priority: high Milestone: 13.1
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

3 CVE's have been fixed in Python recently mostly affecting versions before 3.15:

CVE-2026-4224 CVE-2026-3644 CVE-2026-4519

From https://www.openwall.com/lists/oss-security/2026/03/16/4:

There is a HIGH severity vulnerability affecting CPython.

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

Please see the linked CVE ID for the latest information on affected versions:

From https://www.openwall.com/lists/oss-security/2026/03/16/5:

There is a MEDIUM severity vulnerability affecting CPython.

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Please see the linked CVE ID for the latest information on affected versions:

From https://www.openwall.com/lists/oss-security/2026/03/20/1:

There is a MEDIUM severity vulnerability affecting CPython.

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Please see the linked CVE ID for the latest information on affected versions:

Attached is a patch with the fixes rediffed for 3.14.3.

Attachments (1)

python-3.14.3-security_fixes.patch (12.9 KB ) - added by Joe Locash 3 weeks ago.

Download all attachments as: .zip

Change History (4)

by Joe Locash, 3 weeks ago

Attachment: python-3.14.3-security_fixes.patch added

comment:1 by Bruce Dubbs, 2 weeks ago

Fixed at commit 5ec984b65e.

Leaving open for security advisory.

comment:2 by Bruce Dubbs, 2 weeks ago

Owner: changed from lfs-book to Douglas R. Reno

Reassigning for security advisories.

comment:3 by Douglas R. Reno, 11 days ago

Resolution: fixed
Status: newclosed

SA-13.0-022 issued.

Note: See TracTickets for help on using tickets.