Your message dated Fri, 08 May 2026 05:32:09 +0000
with message-id <[email protected]>
and subject line Bug#1135116: fixed in python3.13 3.13.5-2+deb13u2
has caused the Debian Bug report #1135116,
regarding pypy3: CVE-2026-6019
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135116: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135116
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pypy3
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for pypy3.
CVE-2026-6019[0]:
| http.cookies.Morsel.js_output() returns an inline <script> snippet
| and only escapes " for JavaScript string context. It does not
| neutralize the HTML parser-sensitive sequence </script> inside the
| generated script element. Mitigation base64-encodes the cookie value
| to disallow escaping using cookie value.
https://mail.python.org/archives/list/[email protected]/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
https://github.com/python/cpython/issues/90309
https://github.com/python/cpython/pull/148848
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6019
https://www.cve.org/CVERecord?id=CVE-2026-6019
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python3.13
Source-Version: 3.13.5-2+deb13u2
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python3.13, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated python3.13 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 23:05:52 +0200
Source: python3.13
Architecture: source
Version: 3.13.5-2+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1135116
Changes:
python3.13 (3.13.5-2+deb13u2) trixie; urgency=medium
.
* CVE-2026-3446
* CVE-2026-4224
* CVE-2026-3644
* CVE-2026-4519
* CVE-2026-6019 (Closes: #1135116)
* CVE-2026-6100
Checksums-Sha1:
28378eb2f67a8d755bb38b03f193b1d07d8307ff 4298 python3.13_3.13.5-2+deb13u2.dsc
cd8bd35c307086c697490c4bfe3143892720e9b4 284856
python3.13_3.13.5-2+deb13u2.debian.tar.xz
52146b91ae55825ade23587a57335c76043e3127 17085
python3.13_3.13.5-2+deb13u2_amd64.buildinfo
Checksums-Sha256:
fc815e931053c0c833d9f8aa2aa67341efcfc8d8e352aa7c89c3a512d8a4fe87 4298
python3.13_3.13.5-2+deb13u2.dsc
f2e66e2390c5b24d4a269a2947d850054c636a7b6519c13f5e47951c9a1863ed 284856
python3.13_3.13.5-2+deb13u2.debian.tar.xz
f4499a53b9fe942c717acc8b6dd217342f656cf444811f8cd8dccc874566deb9 17085
python3.13_3.13.5-2+deb13u2_amd64.buildinfo
Files:
c3ee81b1a3b450adff55296c069c7812 4298 python optional
python3.13_3.13.5-2+deb13u2.dsc
b9f4cb625acf0b1057298f35116e96b5 284856 python optional
python3.13_3.13.5-2+deb13u2.debian.tar.xz
1da7b4dbe47684175373980bf9b3cfac 17085 python optional
python3.13_3.13.5-2+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmn85iMACgkQEMKTtsN8
TjakexAAtCgi9Uoh2w1VKnqjyTH5aV9ZW94E86DO36QO09RAO+AqwCJGi0DR9Qbh
s+2xfnof0g3Kc3jPOeIZ4M8lxNBUrIPIQTHeIlvdX+nPvsfg+3Lsm7AlsdPeqJhx
5xei5i2zU0Zo2VUb1qpSm2hIMKRCn9S0pt5t6lXQ85SHjM6j6fSD2RMDqOVhP2eL
73xW+RvamPkh0FmlncGhmRFGXtZyhc0BjkwNamADsh6LnRiWadpyoh82zIhSOFtO
PdetoBauMgC4y6CskNqtpPElHhVyguTkstwC28K1/pQ5h7ZuBPIbZ0pyBsDzsfZe
IdieKfMGF+pfirgt2U3bXGjzAOgPA74H/jH0B0eoCZAIU17aEV11HevzusZ9RoXJ
abnAP3udhErJttVbBQdeahG0aoVI8n1BSwta4ktA9qE61BMF93HeRDCYUUcrlHh7
ixuEyOnwqqqnWpif2Ytw3CuF1AxoadiKNxCgGn98L+poUIS9MNHu3vURh9Al43tJ
2556D398lX0eHpY+GMmb0LGRMdCwF5zTOUnEPUkCQLZs5oE1o+UZuZF/Nxd+5jjg
K2PtuRcpF1/55LFKbba1gosQ9HHmybsu57/W+Z4R0k66Saw4WVI21y85KgqT/5nb
hCuBBdjMgHPFbZDgekBhT95weey6yiNSyFLOTqmFh+STiFIr43E=
=CTCX
-----END PGP SIGNATURE-----
pgp5WyUqA8FOA.pgp
Description: PGP signature
--- End Message ---
