#1136382 bookworm-pu: package python3.11/3.11.2-6+deb12u8

#1136382#5
Date:
2026-05-13 03:48:10 UTC
From:
To:
Dear Release team,

this is a follow-up update to the +deb12u7 update already accepted in
bookwork-proposed-updates a few weeks ago. It fixes low severity CVEs,
which have been backported to the upstream 3.11 branch for the most
part. It will bring the bookworm package in-line with the trixie package
+deb13u2 (currently in trixie-p-u) in terms of CVE fixes.

The debdiff also includes a patch to fix the autopkgtest.

[ CVE details ]

The following patches:

* CVE-2025-13462
* CVE-2026-2297
* CVE-2026-4224
* CVE-2026-4519
* CVE-2026-6100

have been cherry-picked from the upstream 3.11 branch.

CVE-2026-3644 is not yet merged upstream, but it will be included in the
next 3.11 point release, according to:
https://github.com/python/cpython/pull/146026#issuecomment-4418137974

CVE-2026-6019 wasn't merged upstream because the automatic backport
failed, and upstream didn't bother (very low severity), however it turns
out that automatic backport will pass after CVE-2026-3644 is applied, so
it's possible that it will also be backported upstream, cf.
https://github.com/python/cpython/pull/148848#issuecomment-4299364914
(and other comments below).

For this reason I believe it's Ok to be a bit ahead of upstream for
these 2 CVE fixes. Note that they both come with unit tests.

[ Autopkgtest fix ]

The debdiff also contains a fix so that the autopkgtest succeeds again.
In short, autopkgtest has been failing for almost a year, since the
upload of expat/2.5.0-1+deb12u2. It makes it difficult to detect
regressions.

I have found a long discussion upstream on the matter, and from my
reading, upstream recommends downstream who patched expat to skip the
failing tests. This is what I did here. I elaborated a bit more in the
message of the patch itself.

[ Other info ]

The debusine workflow looks good:
https://debusine.debian.net/debian/developers/work-request/688225/

I checked the failures in reverse autopkgtests and they are unrelated.

Git commits are available at:
https://salsa.debian.org/arnaudr/python3.11/-/tree/wip/deb12u8?ref_type=heads

IMPORTANT! The debdiff attached is relative to the version
3.11.2-6+deb12u7 that is already in bookworm-p-u.

Thanks,

Arnaud

#1136382#12
Date:
2026-05-13 04:06:20 UTC
From:
To:
Oh well,

I just noticed that a regression, caused by CVE-2026-6019, was reported
at https://github.com/python/cpython/issues/149144

So here's a new debdiff without this patch.

#1136382#17
Date:
2026-05-23 11:01:09 UTC
From:
To:
Hi,

Please go ahead.

Thanks,

#1136382#24
Date:
2026-05-24 16:06:12 UTC
From:
To:
package release.debian.org
tags 1136382 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: python3.11
Version: 3.11.2-6+deb12u8

Explanation: prevent incorrect tar archive handling [CVE-2025-13462]; ensure bytecode-only imports use normal security checks [CVE-2026-2297]; reject unsafe cookie values [CVE-2026-3644]; prevent XML parser crashes [CVE-2026-4224]; prevent browser command injection [CVE-2026-4519]; prevent bz2/lzma decompressor memory corruption [CVE-2026-6100]; restore XML autopkgtests

#1136382#29
Date:
2026-05-24 16:06:12 UTC
From:
To:
package release.debian.org
tags 1136382 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: python3.11
Version: 3.11.2-6+deb12u8

Explanation: prevent incorrect tar archive handling [CVE-2025-13462]; ensure bytecode-only imports use normal security checks [CVE-2026-2297]; reject unsafe cookie values [CVE-2026-3644]; prevent XML parser crashes [CVE-2026-4224]; prevent browser command injection [CVE-2026-4519]; prevent bz2/lzma decompressor memory corruption [CVE-2026-6100]; restore XML autopkgtests