==========================================================================
Ubuntu Security Notice USN-7348-2
March 24, 2025

python3.5, python3.8 regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-7348-1 introduced a regression in Python.

Software Description:
- python3.8: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language

Details:

USN-7348-1 fixed vulnerabilities in Python. The update introduced a
regression. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that the Python ipaddress module contained incorrect
 information about which IP address ranges were considered “private” or
 “globally reachable”. This could possibly result in applications applying
 incorrect security policies. This issue only affected Ubuntu 14.04 LTS
 and Ubuntu 16.04 LTS. (CVE-2024-4032)

 It was discovered that Python incorrectly handled quoting path names when
 using the venv module. A local attacker able to control virtual
 environments could possibly use this issue to execute arbitrary code when
 the virtual environment is activated. (CVE-2024-9287)

 It was discovered that Python incorrectly handled parsing bracketed hosts.
 A remote attacker could possibly use this issue to perform a Server-Side
 Request Forgery (SSRF) attack. This issue only affected Ubuntu 14.04 LTS
 and Ubuntu 16.04 LTS. (CVE-2024-11168)

 It was discovered that Python incorrectly handled parsing domain names 
that
 included square brackets. A remote attacker could possibly use this issue
 to perform a Server-Side Request Forgery (SSRF) attack. (CVE-2025-0938)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  python3.8                       3.8.10-0ubuntu1~20.04.18
  python3.8-minimal               3.8.10-0ubuntu1~20.04.18
  python3.8-venv                  3.8.10-0ubuntu1~20.04.18

Ubuntu 16.04 LTS
  python3.5                       3.5.2-2ubuntu0~16.04.13+esm18
                                  Available with Ubuntu Pro
  python3.5-minimal               3.5.2-2ubuntu0~16.04.13+esm18
                                  Available with Ubuntu Pro
  python3.5-venv                  3.5.2-2ubuntu0~16.04.13+esm18
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  python3.5 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
                                  Available with Ubuntu Pro
  python3.5-minimal 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
                                  Available with Ubuntu Pro
  python3.5-venv 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7348-2
  https://ubuntu.com/security/notices/USN-7348-1
  CVE-2025-0938

Package Information:
https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.18