{"id":"USN-8018-3","summary":"python2.7 vulnerabilities","details":"USN-8018-1 fixed CVE-2025-12084, CVE-2025-15282, CVE-2026-0672,\nCVE-2026-0865 for python3. This update provides the corresponding updates\nfor python2.7.\n\nOriginal advisory details:\n\n Denis Ledoux discovered that Python incorrectly parsed email message\n headers. An attacker could possibly use this issue to inject arbitrary\n headers into email messages. This issue only affected python3.6,\n python3.7,  python3.8, python3.9, python3.10, python3.11, python3.12,\n python3.13, and  python3.14 packages. (CVE-2025-11468)\n\n Jacob Walls, Shai Berger, and Natalia Bidart discovered that Python\n inefficiently parsed XML input with quadratic complexity. An attacker\n could  possibly use this issue to cause a denial of service.\n (CVE-2025-12084)\n\n It was discovered that Python incorrectly parsed malicious plist files. An\n attacker could possibly use this issue to cause Python to use excessive\n resources, leading to a denial of service. This issue only affected\n python3.5, python3.6, python3.7, python3.8, python3.9, python3.10,\n python3.11, python3.12, python3.13, and python3.14 packages.\n (CVE-2025-13837)\n\n Omar Hasan discovered that Python incorrectly parsed URL mediatypes. An\n attacker could possibly use this issue to inject arbitrary HTTP headers.\n (CVE-2025-15282)\n\n Omar Hasan discovered that Python incorrectly parsed malicious IMAP\n inputs.  An attacker could possibly use this issue to inject arbitrary\n IMAP  commands. (CVE-2025-15366)\n\n Omar Hasan discovered that Python incorrectly parsed malicious POP3\n inputs.  An attacker could possibly use this issue to inject arbitrary\n POP3  commands. (CVE-2025-15367)\n\n Omar Hasan discovered that Python incorrectly parsed malicious HTTP cookie\n headers. An attacker could possibly use this issue to inject arbitrary\n HTTP  headers. (CVE-2026-0672)\n\n Omar Hasan discovered that Python incorrectly parsed malicious HTTP header\n names and values. An attacker could possibly use this issue to inject\n arbitrary HTTP headers. (CVE-2026-0865)","modified":"2026-05-20T16:03:58.475134303Z","published":"2026-03-19T05:20:43Z","related":["UBUNTU-CVE-2025-12084","UBUNTU-CVE-2025-15282","UBUNTU-CVE-2026-0672","UBUNTU-CVE-2026-0865"],"upstream":["UBUNTU-CVE-2025-12084","UBUNTU-CVE-2025-15282","UBUNTU-CVE-2026-0672","UBUNTU-CVE-2026-0865"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8018-3"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-12084"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-15282"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-0672"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-0865"}],"affected":[{"package":{"name":"python2.7","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/python2.7?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.6-8ubuntu0.6+esm29"}]}],"versions":["2.7.5-8ubuntu3","2.7.5-8ubuntu4","2.7.6-2","2.7.6-2ubuntu1","2.7.6-3","2.7.6-3ubuntu1","2.7.6-4","2.7.6-4ubuntu1","2.7.6-5","2.7.6-7","2.7.6-8","2.7.6-8ubuntu0.2","2.7.6-8ubuntu0.3","2.7.6-8ubuntu0.4","2.7.6-8ubuntu0.5","2.7.6-8ubuntu0.6+esm2","2.7.6-8ubuntu0.6+esm3","2.7.6-8ubuntu0.6+esm5","2.7.6-8ubuntu0.6+esm6","2.7.6-8ubuntu0.6+esm7","2.7.6-8ubuntu0.6+esm8","2.7.6-8ubuntu0.6+esm9","2.7.6-8ubuntu0.6+esm10","2.7.6-8ubuntu0.6+esm11","2.7.6-8ubuntu0.6+esm12","2.7.6-8ubuntu0.6+esm13","2.7.6-8ubuntu0.6+esm14","2.7.6-8ubuntu0.6+esm15","2.7.6-8ubuntu0.6+esm16","2.7.6-8ubuntu0.6+esm17","2.7.6-8ubuntu0.6+esm18","2.7.6-8ubuntu0.6+esm20","2.7.6-8ubuntu0.6+esm21","2.7.6-8ubuntu0.6+esm22","2.7.6-8ubuntu0.6+esm24","2.7.6-8ubuntu0.6+esm25","2.7.6-8ubuntu0.6+esm26","2.7.6-8ubuntu0.6+esm28"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro","binaries":[{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"idle-python2.7"},{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"libpython2.7"},{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"libpython2.7-minimal"},{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"libpython2.7-stdlib"},{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"libpython2.7-testsuite"},{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"python2.7"},{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"python2.7-examples"},{"binary_version":"2.7.6-8ubuntu0.6+esm29","binary_name":"python2.7-minimal"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:14.04:LTS","cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-12084"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-15282"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0672"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0865"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8018-3.json"}},{"package":{"name":"python2.7","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python2.7?arch=source&distro=esm-apps%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.12-1ubuntu0~16.04.18+esm19"}]}],"versions":["2.7.10-4ubuntu1","2.7.10-4ubuntu2","2.7.11-2","2.7.11-3","2.7.11-4","2.7.11-6","2.7.11-7","2.7.11-7ubuntu1","2.7.12-1~16.04","2.7.12-1ubuntu0~16.04.1","2.7.12-1ubuntu0~16.04.2","2.7.12-1ubuntu0~16.04.3","2.7.12-1ubuntu0~16.04.4","2.7.12-1ubuntu0~16.04.8","2.7.12-1ubuntu0~16.04.9","2.7.12-1ubuntu0~16.04.11","2.7.12-1ubuntu0~16.04.12","2.7.12-1ubuntu0~16.04.13","2.7.12-1ubuntu0~16.04.14","2.7.12-1ubuntu0~16.04.16","2.7.12-1ubuntu0~16.04.18","2.7.12-1ubuntu0~16.04.18+esm1","2.7.12-1ubuntu0~16.04.18+esm2","2.7.12-1ubuntu0~16.04.18+esm3","2.7.12-1ubuntu0~16.04.18+esm4","2.7.12-1ubuntu0~16.04.18+esm5","2.7.12-1ubuntu0~16.04.18+esm6","2.7.12-1ubuntu0~16.04.18+esm7","2.7.12-1ubuntu0~16.04.18+esm8","2.7.12-1ubuntu0~16.04.18+esm9","2.7.12-1ubuntu0~16.04.18+esm10","2.7.12-1ubuntu0~16.04.18+esm11","2.7.12-1ubuntu0~16.04.18+esm12","2.7.12-1ubuntu0~16.04.18+esm13","2.7.12-1ubuntu0~16.04.18+esm15","2.7.12-1ubuntu0~16.04.18+esm16","2.7.12-1ubuntu0~16.04.18+esm17","2.7.12-1ubuntu0~16.04.18+esm18"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"idle-python2.7"},{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"libpython2.7"},{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"libpython2.7-minimal"},{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"libpython2.7-stdlib"},{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"libpython2.7-testsuite"},{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"python2.7"},{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"python2.7-examples"},{"binary_version":"2.7.12-1ubuntu0~16.04.18+esm19","binary_name":"python2.7-minimal"}]},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8018-3.json"}},{"package":{"name":"python2.7","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python2.7?arch=source&distro=esm-infra%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.17-1~18.04ubuntu1.13+esm14"}]}],"versions":["2.7.14-2ubuntu2","2.7.14-4","2.7.14-6","2.7.14-7","2.7.14-8","2.7.15~rc1-1","2.7.15~rc1-1ubuntu0.1","2.7.15-4ubuntu4~18.04","2.7.15-4ubuntu4~18.04.1","2.7.15-4ubuntu4~18.04.2","2.7.17-1~18.04","2.7.17-1~18.04ubuntu1","2.7.17-1~18.04ubuntu1.1","2.7.17-1~18.04ubuntu1.2","2.7.17-1~18.04ubuntu1.3","2.7.17-1~18.04ubuntu1.5","2.7.17-1~18.04ubuntu1.6","2.7.17-1~18.04ubuntu1.7","2.7.17-1~18.04ubuntu1.8","2.7.17-1~18.04ubuntu1.10","2.7.17-1~18.04ubuntu1.11","2.7.17-1~18.04ubuntu1.13","2.7.17-1~18.04ubuntu1.13+esm1","2.7.17-1~18.04ubuntu1.13+esm2","2.7.17-1~18.04ubuntu1.13+esm3","2.7.17-1~18.04ubuntu1.13+esm4","2.7.17-1~18.04ubuntu1.13+esm5","2.7.17-1~18.04ubuntu1.13+esm6","2.7.17-1~18.04ubuntu1.13+esm7","2.7.17-1~18.04ubuntu1.13+esm8","2.7.17-1~18.04ubuntu1.13+esm10","2.7.17-1~18.04ubuntu1.13+esm11","2.7.17-1~18.04ubuntu1.13+esm12","2.7.17-1~18.04ubuntu1.13+esm13"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"idle-python2.7"},{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"libpython2.7"},{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"libpython2.7-minimal"},{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"libpython2.7-stdlib"},{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"libpython2.7-testsuite"},{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"python2.7"},{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"python2.7-examples"},{"binary_version":"2.7.17-1~18.04ubuntu1.13+esm14","binary_name":"python2.7-minimal"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-12084"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-15282"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0672"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0865"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8018-3.json"}},{"package":{"name":"python2.7","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python2.7?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.18-1~20.04.7+esm9"}]}],"versions":["2.7.17~rc1-1","2.7.17-1","2.7.17-1ubuntu5","2.7.17-1ubuntu6","2.7.18~rc1-2","2.7.18-1~20.04","2.7.18-1~20.04.1","2.7.18-1~20.04.1+esm1","2.7.18-1~20.04.3","2.7.18-1~20.04.3+esm1","2.7.18-1~20.04.4","2.7.18-1~20.04.4+esm1","2.7.18-1~20.04.4+esm2","2.7.18-1~20.04.4+esm3","2.7.18-1~20.04.5","2.7.18-1~20.04.5+esm1","2.7.18-1~20.04.5+esm2","2.7.18-1~20.04.6","2.7.18-1~20.04.6+esm1","2.7.18-1~20.04.7","2.7.18-1~20.04.7+esm3","2.7.18-1~20.04.7+esm4","2.7.18-1~20.04.7+esm6","2.7.18-1~20.04.7+esm7","2.7.18-1~20.04.7+esm8"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"idle-python2.7"},{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"libpython2.7"},{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"libpython2.7-minimal"},{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"libpython2.7-stdlib"},{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"libpython2.7-testsuite"},{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"python2.7"},{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"python2.7-examples"},{"binary_version":"2.7.18-1~20.04.7+esm9","binary_name":"python2.7-minimal"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-12084"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-15282"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0672"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0865"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8018-3.json"}},{"package":{"name":"python2.7","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/python2.7?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.18-13ubuntu1.5+esm8"}]}],"versions":["2.7.18-8build1","2.7.18-13","2.7.18-13ubuntu1","2.7.18-13ubuntu1.1","2.7.18-13ubuntu1.1+esm2","2.7.18-13ubuntu1.2","2.7.18-13ubuntu1.2+esm1","2.7.18-13ubuntu1.2+esm2","2.7.18-13ubuntu1.2+esm3","2.7.18-13ubuntu1.3","2.7.18-13ubuntu1.3+esm1","2.7.18-13ubuntu1.4","2.7.18-13ubuntu1.4+esm1","2.7.18-13ubuntu1.5","2.7.18-13ubuntu1.5+esm2","2.7.18-13ubuntu1.5+esm3","2.7.18-13ubuntu1.5+esm5","2.7.18-13ubuntu1.5+esm6","2.7.18-13ubuntu1.5+esm7"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"idle-python2.7"},{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"libpython2.7"},{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"libpython2.7-minimal"},{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"libpython2.7-stdlib"},{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"libpython2.7-testsuite"},{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"python2.7"},{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"python2.7-examples"},{"binary_version":"2.7.18-13ubuntu1.5+esm8","binary_name":"python2.7-minimal"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-12084"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-15282"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0672"},{"severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-0865"}],"ecosystem":"Ubuntu:Pro:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8018-3.json"}}],"schema_version":"1.7.5"}