ELA-1348-1 python2.7 security update

Package	python2.7
Version	2.7.13-2+deb9u10 (stretch)
Related CVEs	CVE-2023-27043 CVE-2024-0397 CVE-2024-5642 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-11168 CVE-2025-0938

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory corruption, memory leak, improper validation and denial of service (DoS).

• CVE-2023-27043

  The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).

• CVE-2024-0397

  memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured.

• CVE-2024-5642

  CPython doesn’t disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

• CVE-2024-6232

  Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

• CVE-2024-6923

  The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

• CVE-2024-7592

  When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

• CVE-2024-11168

  The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

• CVE-2025-0938

  urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u10.

We recommend that you upgrade your python2.7 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.