Debian dla-4445 : idle-python3.9 - security update

medium Nessus Plugin ID 294786

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4445 advisory.

- ------------------------------------------------------------------------- Debian LTS Advisory DLA-4445-1 [email protected] https://www.debian.org/lts/security/ Andrej Shadura January 20, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python3.9 Version : 3.9.2-1+deb11u4 CVE ID : CVE-2022-37454 CVE-2025-4516 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194 CVE-2025-8291 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837

Multiple security fixes in cPython 3.9.

CVE-2022-37454

The Keccak XKCP SHA-3 implementation had an integer overflow and a buffer overflow in the sponge function interface. This allowed attackers to execute arbitrary code or eliminate expected cryptographic properties.

CVE-2025-4516

An issue in bytes.decode(unicode_escape, error=ignore|replace) could result in a crash.

CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled a performance degradation was possible when expanding environment variables.

CVE-2025-8194

The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

CVE-2025-8291

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.

CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm was quadratic. Availability could be impacted when building excessively nested documents.

CVE-2025-13836

When reading an HTTP response from a server, if no read amount was specified, the default behavior was to use Content-Length. This allowed a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

CVE-2025-13837

When loading a plist file, the plistlib module would read data in size specified by the file itself, meaning a malicious file could cause OOM and DoS issues.

For Debian 11 bullseye, these problems have been fixed in version 3.9.2-1+deb11u4.

We recommend that you upgrade your python3.9 packages.

For the detailed security status of python3.9 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the idle-python3.9 packages.

Plugin Details

Severity: Medium

ID: 294786

File Name: debian_DLA-4445.nasl

Version: 1.1

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 1/20/2026

Updated: 1/20/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-37454

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

CVSS Score Source: CVE-2025-13836

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:idle-python3.9, p-cpe:/a:debian:debian_linux:libpython3.9-minimal, p-cpe:/a:debian:debian_linux:libpython3.9-dbg, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:python3.9, p-cpe:/a:debian:debian_linux:libpython3.9-dev, p-cpe:/a:debian:debian_linux:python3.9-minimal, p-cpe:/a:debian:debian_linux:python3.9-dbg, p-cpe:/a:debian:debian_linux:libpython3.9-testsuite, p-cpe:/a:debian:debian_linux:libpython3.9, p-cpe:/a:debian:debian_linux:python3.9-venv, p-cpe:/a:debian:debian_linux:python3.9-dev, p-cpe:/a:debian:debian_linux:libpython3.9-stdlib, p-cpe:/a:debian:debian_linux:python3.9-full, p-cpe:/a:debian:debian_linux:python3.9-examples, p-cpe:/a:debian:debian_linux:python3.9-doc

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/20/2026

Vulnerability Publication Date: 10/21/2022

Reference Information

CVE: CVE-2022-37454, CVE-2025-12084, CVE-2025-13836, CVE-2025-13837, CVE-2025-4516, CVE-2025-6069, CVE-2025-6075, CVE-2025-8194, CVE-2025-8291

Detections

Analytics