Skip to content

DLPX-97865 Ubuntu Security Notification for Python Vulnerabilities (USN-8509-1)#399

Merged
prakashsurya merged 2 commits into
releasefrom
projects/cve-python3.12-usn-8509-1
Jul 10, 2026
Merged

DLPX-97865 Ubuntu Security Notification for Python Vulnerabilities (USN-8509-1)#399
prakashsurya merged 2 commits into
releasefrom
projects/cve-python3.12-usn-8509-1

Conversation

@prakashsurya

@prakashsurya prakashsurya commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Backports the Ubuntu USN-8509-1 python3.12 security update (3.12.3-1ubuntu0.15) to the release-track appliance via the misc-debs extension point. The release build (2026.4.0.0) installs 3.12.3-1ubuntu0.13, which is still vulnerable to these CVEs.

Remediates:

Changes:

  • packages/misc-debs/config.sh: five sha256-pinned debs=() entries — the python3.12 binaries the appliance installs — under a comment block naming the USN, Jira tickets, CVEs, and the Ubuntu archive source.
  • .debs uploaded to http://artifactory.delphix.com/artifactory/linux-pkg/misc-debs/:
    • libpython3.12-minimal_3.12.3-1ubuntu0.15_amd64.deb
    • libpython3.12-stdlib_3.12.3-1ubuntu0.15_amd64.deb
    • libpython3.12t64_3.12.3-1ubuntu0.15_amd64.deb
    • python3.12_3.12.3-1ubuntu0.15_amd64.deb
    • python3.12-minimal_3.12.3-1ubuntu0.15_amd64.deb

Fetched from the Ubuntu 24.04 LTS (noble) noble-security/noble-updates archive.

Test plan

  • PR check passes (make shellcheck + make shfmtcheck — both clean locally on this branch).
  • misc-debs Jenkins pre-push job resolves all five artifactory URLs with matching sha256s.
  • git-ab-pre-push builds an appliance image with 3.12.3-1ubuntu0.15 replacing 0.13; pre-checkin regression passes.
  • On a VM from the resulting image: dpkg-query -W python3.12 reports 3.12.3-1ubuntu0.15.

🤖 Generated with Claude Code

Testing Done

ab-pre-push build #14506: IN PROGRESS

…9-1)

Pin the fixed Ubuntu USN-8509-1 python3.12 binaries (3.12.3-1ubuntu0.15)
into the release appliance via misc-debs. Remediates CVE-2026-6100 (DLPX-97878),
CVE-2025-69534 (DLPX-97875), CVE-2026-4786 (DLPX-97873), CVE-2026-4224
(DLPX-97869), and CVE-2026-3644 (DLPX-97865). The release build ships
3.12.3-1ubuntu0.13.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@prakashsurya prakashsurya enabled auto-merge (squash) July 9, 2026 23:59

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backports Ubuntu USN-8509-1 security-fixed python3.12 binaries into the release-track appliance via the misc-debs meta-package, ensuring the appliance installs 3.12.3-1ubuntu0.15 instead of the currently vulnerable -0.13 build.

Changes:

  • Added five sha256-pinned .deb entries for python3.12 and related runtime libraries corresponding to 3.12.3-1ubuntu0.15.
  • Documented the security context (USN, CVEs, and internal tracking tickets) alongside the pinned artifacts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/misc-debs/config.sh

@dbjwhs-perforce dbjwhs-perforce left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@prakashsurya prakashsurya merged commit c7bea34 into release Jul 10, 2026
13 checks passed
@prakashsurya prakashsurya deleted the projects/cve-python3.12-usn-8509-1 branch July 10, 2026 17:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

4 participants