| Package | python2.7 |
|---|---|
| Version | 2.7.16-2+deb10u5 (buster) |
| Related CVEs | CVE-2023-27043 CVE-2024-0397 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-11168 CVE-2025-0938 |
Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory corruption, improper validation and denial of service (DoS).
-
CVE-2023-27043
The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).
-
CVE-2024-0397
memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured.
-
CVE-2024-6232
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
-
CVE-2024-6923
The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
-
CVE-2024-7592
When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
-
CVE-2024-11168
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (
[]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. -
CVE-2025-0938
urllib.parse.urlsplitandurlparseaccepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
For Debian 10 buster, these problems have been fixed in version 2.7.16-2+deb10u5.
We recommend that you upgrade your python2.7 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.