The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4583 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4583-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                     Arnaud Rebillout     May 15, 2026                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : python3.9     Version        : 3.9.2-1+deb11u7     CVE ID         : CVE-2025-13462 CVE-2026-0672 CVE-2026-2297 CVE-2026-3644                      CVE-2026-4224 CVE-2026-4519     Debian Bug     :

    Multiple vulnerabilities were discovered in Python 3.9.

    CVE-2025-13462

        The tarfile module would still apply normalization of AREGTYPE         (\x00) blocks to DIRTYPE, even while processing a multi-block member         such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a         crafted tar archive being misinterpreted by the tarfile module         compared to other implementations.

    CVE-2026-0672

        When using http.cookies.Morsel, user-controlled cookie values and         parameters can allow injecting HTTP headers into messages. Patch         rejects all control characters within cookie names, values, and         parameters.

    CVE-2026-2297

        The import hook in CPython that handles legacy *.pyc files         (SourcelessFileLoader) is incorrectly handled in FileLoader (a base         class) and so does not use io.open_code() to read the .pyc files.
        sys.audit handlers for this audit event therefore do not fire.

    CVE-2026-3644

        The fix for CVE-2026-0672, which rejected control characters in         http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator,         and unpickling paths were not patched, allowing control characters to         bypass input validation. Additionally, BaseCookie.js_output() lacked         the output validation applied to BaseCookie.output().

    CVE-2026-4224

        When an Expat parser with a registered ElementDeclHandler parses an         inline document type definition containing a deeply nested content         model a C stack overflow occurs.

    CVE-2026-4519

        The webbrowser.open() API would accept leading dashes in the URL which         could be handled as command line options for certain web browsers. New         behavior rejects leading dashes. Users are recommended to sanitize         URLs prior to passing to webbrowser.open().

    For Debian 11 bullseye, these problems have been fixed in version     3.9.2-1+deb11u7.

    We recommend that you upgrade your python3.9 packages.

    For the detailed security status of python3.9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/python3.9

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian dla-4583 : idle-python3.9 - security update

high Nessus Plugin ID 314932

Version 1.2

Version 1.1

Version 1.2 Jun 10, 2026, 9:22 PM CVSS metrics ("CVSSv2 score" set to 10.0) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 9.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSSv2 score source (changed from "CVE-2026-4519" to "CVE-2025-13462") CVSSv2 severity (based on CVE-2025-13462, severity increased from "Low" to "High") CVSSv3 severity (based on None, severity increased from "Low" to "High") Plugin Feed: 202606102122
Version 1.1 May 15, 2026, 6:15 PM New Plugin Feed: 202605151815