Your message dated Tue, 30 Dec 2025 21:20:12 +0000
with message-id <[email protected]>
and subject line Bug#1117688: fixed in python-socketio 5.16.0-1
has caused the Debian Bug report #1117688,
regarding python-socketio: CVE-2025-61765
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117688
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-socketio
Version: 5.13.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-socketio.
CVE-2025-61765[0]:
| python-socketio is a Python implementation of the Socket.IO realtime
| client and server. A remote code execution vulnerability in python-
| socketio versions prior to 5.14.0 allows attackers to execute
| arbitrary Python code through malicious pickle deserialization in
| multi-server deployments on which the attacker previously gained
| access to the message queue that the servers use for internal
| communications. When Socket.IO servers are configured to use a
| message queue backend such as Redis for inter-server communication,
| messages sent between the servers are encoded using the `pickle`
| Python module. When a server receives one of these messages through
| the message queue, it assumes it is trusted and immediately
| deserializes it. The vulnerability stems from deserialization of
| messages using Python's `pickle.loads()` function. Having previously
| obtained access to the message queue, the attacker can send a
| python-socketio server a crafted pickle payload that executes
| arbitrary code during deserialization via Python's `__reduce__`
| method. This vulnerability only affects deployments with a
| compromised message queue. The attack can lead to the attacker
| executing random code in the context of, and with the privileges of
| a Socket.IO server process. Single-server systems that do not use a
| message queue, and multi-server systems with a secure message queue
| are not vulnerable. In addition to making sure standard security
| practices are followed in the deployment of the message queue, users
| of the python-socketio package can upgrade to version 5.14.0 or
| newer, which remove the `pickle` module and use the much safer JSON
| encoding for inter-server messaging.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61765
https://www.cve.org/CVERecord?id=CVE-2025-61765
[1]
https://github.com/miguelgrinberg/python-socketio/security/advisories/GHSA-g8c6-8fjj-2r4m
[2]
https://github.com/miguelgrinberg/python-socketio/commit/53f6be094257ed81476b0e212c8cddd6d06ca39a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-socketio
Source-Version: 5.16.0-1
Done: Paulo Henrique de Lima Santana (phls) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-socketio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paulo Henrique de Lima Santana (phls) <[email protected]> (supplier of updated
python-socketio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Dec 2025 17:42:03 -0300
Source: python-socketio
Architecture: source
Version: 5.16.0-1
Distribution: unstable
Urgency: medium
Maintainer: Paulo Henrique de Lima Santana (phls) <[email protected]>
Changed-By: Paulo Henrique de Lima Santana (phls) <[email protected]>
Closes: 1117688
Changes:
python-socketio (5.16.0-1) unstable; urgency=medium
.
* New upstream version 5.16.0. (Closes: #1117688).
- Fix bug reported on CVE-2025-61765.
* debian/control:
- Bumped Standards-Version to 4.7.3.
- Removed the line Rules-Requires-Root: no.
* debian/manpage: updated manpage copied from upstream.
* debian/copyright: added file from upstream.
* debian/rules: added tests to ignore.
* debian/watch: updated version to 5.
Checksums-Sha1:
513f8f74e19bdc109aaced3d534e76ed6fa2deb4 2336 python-socketio_5.16.0-1.dsc
f1e5a8471fa1dae110a392f9da7c905d1594a91d 127120
python-socketio_5.16.0.orig.tar.gz
301c5c0234815c3be7a9161dfae42845ed5ff37c 35392
python-socketio_5.16.0-1.debian.tar.xz
0b47cadb810bec8caca220ae088da85427bb4889 8651
python-socketio_5.16.0-1_source.buildinfo
Checksums-Sha256:
73f12476f015fffa56d4ef6eefd17a89e4b88f96457b65a761364c806ed0ee77 2336
python-socketio_5.16.0-1.dsc
f79403c7f1ba8b84460aa8fe4c671414c8145b21a501b46b676f3740286356fd 127120
python-socketio_5.16.0.orig.tar.gz
dc858b1f67d1dbeb2bf001070ee45b9775416f72383a1c20d9268a573244f210 35392
python-socketio_5.16.0-1.debian.tar.xz
0eb648778774a44414d561ce9983c5c2ec5838309205ed772afd20e03432eff2 8651
python-socketio_5.16.0-1_source.buildinfo
Files:
146223e387981f53619be82c9e40a1a4 2336 python optional
python-socketio_5.16.0-1.dsc
2020f7a9aa9fc74786ff2bdc8b48a68f 127120 python optional
python-socketio_5.16.0.orig.tar.gz
3faeb17716ca839c0887548b0f32c0c3 35392 python optional
python-socketio_5.16.0-1.debian.tar.xz
2777434d099186fc275e1c555e434283 8651 python optional
python-socketio_5.16.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQySpKy57hdp/nJxAxm0GtARDxFAFAmlUHH0ACgkQxm0GtARD
xFABTg/6Au9jXHnDDTeXfYH73BDPCooCCB17DQWASVm8jkO++FqTtUCuyu0WBqG0
i1B2VL3EfT3xuxYNjph/A074XiJkwj1LOWnn6n+iRv84hThA8lT9jIezfqqbdX7l
LXJchoThFnJC1Ziyg8STotuy32xpHuT49RC9N8OkHoAQJVSkgDDhbPP4rjOgkf9B
/7Ky3QkNmEQ5/lr9K1mdEdPOKNv2sugQ6fPltVVYxmNDLGaQdZysYcaP8Sekxuat
rA4HIOTxjnnep09FGVirIidQDpSBfJStTIxjh1n90hCKFZ2uFdQ+uZhM1yoS1jHu
h+IsyPzxjTwYcz0HDP0ySNoki9e5H3J/MAWpGJjNWcaytU10Irsr6WLulR03ZOUj
u5Z3lpuqUno0OfxePIQ+ViYo1Ha/b73K48n2BR6/VkTE4pm019zVhm18lLxlx3xj
xKCa8IxqcNVXHngrZSARUjnGnfzb8NAKGXaKjiWy/ZHTXHxbJvzfCXh0D0LW4v7F
YQunAgAWDoC60VijUud+lTyq7kJaqpLhpfQ2K+9C1IfuPiyrS3l97FZCGwGnTlzv
9VIte0DgMK964479KMHYQV0fyKrfKD0YqvKs2+b9oz8TvyyXsE8mp8NUb+QJQYcn
WzRxqS9/pHh+zw/b93NB0xgbjmWNduN9TlRNniZck+7u8F/SXqI=
=NfON
-----END PGP SIGNATURE-----
pgpJad1oMndpF.pgp
Description: PGP signature
--- End Message ---
