Bug 34808 - python3 new security issues CVE-2025-1383[67] and CVE-2025-12084
Summary: python3 new security issues CVE-2025-1383[67] and CVE-2025-12084
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-12-08 09:26 CET by Nicolas Salguero
Modified: 2025-12-09 20:13 CET (History)
4 users (show)

See Also:
Source RPM: python3-3.10.18-1.4.mga9.src.rpm
CVE: CVE-2025-13836, CVE-2025-13837, CVE-2025-12084
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-12-08 09:26:29 CET 
Reference: https://www.openwall.com/lists/oss-security/2025/12/05/5

According to Debian, python 2.7 is only affected by CVE-2025-12084.

Cauldron has python3 3.13.11 so only python 2.7 is affected.
Nicolas Salguero 2025-12-08 09:27:37 CET

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-13836, CVE-2025-13837, CVE-2025-12084
Source RPM: (none) => python-2.7.18-20.mga10.src.rpm, python-2.7.18-15.2.mga9.src.rpm, python3-3.10.18-1.4.mga9.src.rpm

Nicolas Salguero 2025-12-08 13:36:50 CET

Summary: python new security issue CVE-2025-12084 and python3 new security issues CVE-2025-1383[67] and CVE-2025-12084 => python3 new security issues CVE-2025-1383[67] and CVE-2025-12084
Version: Cauldron => 9
Source RPM: python-2.7.18-20.mga10.src.rpm, python-2.7.18-15.2.mga9.src.rpm, python3-3.10.18-1.4.mga9.src.rpm => python3-3.10.18-1.4.mga9.src.rpm
Whiteboard: MGA9TOO => (none)

Comment 1 Nicolas Salguero 2025-12-08 13:37:42 CET 
For python 2.7, see bug 33313.
Comment 2 Marja Van Waes 2025-12-08 13:57:50 CET 
Assigning to the Python Stack maintainers

CC: (none) => marja11
Assignee: bugsquad => python

Comment 3 Nicolas Salguero 2025-12-08 14:12:51 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Excessive read buffering DoS in http.client. (CVE-2025-13836)

Out-of-memory when loading Plist. (CVE-2025-13837)

Quadratic complexity in node ID cache clearing. (CVE-2025-12084)

References:
https://www.openwall.com/lists/oss-security/2025/12/05/5
========================

Updated packages in core/updates_testing:
========================
lib(64)python3-devel-3.10.18-1.5.mga9
lib(64)python3.10-3.10.18-1.5.mga9
lib(64)python3.10-stdlib-3.10.18-1.5.mga9
lib(64)python3.10-testsuite-3.10.18-1.5.mga9
python3-3.10.18-1.5.mga9
python3-docs-3.10.18-1.5.mga9
tkinter3-3.10.18-1.5.mga9
tkinter3-apps-3.10.18-1.5.mga9

from SRPM:
python3-3.10.18-1.5.mga9.src.rpm

Assignee: python => qa-bugs
Status: NEW => ASSIGNED

Comment 4 Herman Viaene 2025-12-08 16:28:10 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 33436 for testing:
$ python3 /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py 
Type in the string to be parsed or 'quit' to exit the program
> 5-4
1
> 4-5
-1
> 5*50
250
> 256/4
64.0
> 2^3
8
Looks good.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2025-12-09 14:26:42 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2025-12-09 18:43:30 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2025-12-09 20:13:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0324.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.