CVE-2022-48565

Name	CVE-2022-48565
Description	An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3575-1, DLA-3614-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy3 (PTS)	bullseye	7.3.5+dfsg-2+deb11u2	fixed
	bullseye (security)	7.3.5+dfsg-2+deb11u5	fixed
	bookworm	7.3.11+dfsg-2+deb12u3	fixed
	trixie	7.3.19+dfsg-2	fixed
	forky, sid	7.3.20+dfsg-4	fixed
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	fixed
python3.9 (PTS)	bullseye	3.9.2-1	fixed
	bullseye (security)	3.9.2-1+deb11u3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
pypy3	source	(unstable)	7.3.5+dfsg-2
python2.7	source	buster	2.7.16-2+deb10u3	DLA-3575-1
python2.7	source	bullseye	2.7.18-8+deb11u1
python2.7	source	(unstable)	(unfixed)
python3.7	source	buster	3.7.3-2+deb10u6	DLA-3614-1
python3.7	source	(unstable)	(unfixed)
python3.9	source	(unstable)	3.9.1~rc1-1

Notes

https://bugs.python.org/issue42051
https://github.com/python/cpython/issues/86217
https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 (v3.10.0a2)
https://github.com/python/cpython/commit/479553c7c11306a09ce34edb6ef208133b7b95fe (v3.9.1rc1)
https://github.com/python/cpython/commit/65894cac0835cb8f469f649e20aa1be8bf89f5ae (v3.8.7rc1)
https://github.com/python/cpython/commit/e512bc799e3864fe3b1351757261762d63471efc (v3.7.10)
https://github.com/python/cpython/commit/a158fb9c5138db94adf24fbc5690467cda811163 (v3.6.13)