{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "libpython3.10:s390x",
                "libpython3.10-minimal:s390x",
                "libpython3.10-stdlib:s390x",
                "python3.10",
                "python3.10-minimal",
                "tar"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "libpython3.10:s390x",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.10-minimal:s390x",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.10-stdlib:s390x",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.10",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.10-minimal",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tar",
                "from_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.34+dfsg-1ubuntu0.1.22.04.3",
                    "version": "1.34+dfsg-1ubuntu0.1.22.04.3"
                },
                "to_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.34+dfsg-1ubuntu0.1.22.04.4",
                    "version": "1.34+dfsg-1ubuntu0.1.22.04.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-45582",
                        "url": "https://ubuntu.com/security/CVE-2025-45582",
                        "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-07-11 17:15:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-45582",
                                "url": "https://ubuntu.com/security/CVE-2025-45582",
                                "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-07-11 17:15:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: File overwrite via directory traversal",
                            "    - debian/patches/CVE-2025-45582-*.patch: Backport openat2 support in",
                            "      order to jailify the extraction directory.",
                            "    - CVE-2025-45582",
                            ""
                        ],
                        "package": "tar",
                        "version": "1.34+dfsg-1ubuntu0.1.22.04.4",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 27 Jun 2026 17:53:20 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20260705 to 20260706",
    "from_series": "jammy",
    "to_series": "jammy",
    "from_serial": "20260705",
    "to_serial": "20260706",
    "from_manifest_filename": "release_manifest.previous",
    "to_manifest_filename": "manifest.current"
}