Your message dated Tue, 30 Dec 2025 21:19:53 +0000
with message-id <[email protected]>
and subject line Bug#1123672: fixed in pymdown-extensions 10.13-4
has caused the Debian Bug report #1123672,
regarding pymdown-extensions: CVE-2025-68142
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123672: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123672
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pymdown-extensions
Version: 10.13-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 10.13-1
Hi,
The following vulnerability was published for pymdown-extensions.
CVE-2025-68142[0]:
| PyMdown Extensions is a set of extensions for the `Python-Markdown`
| markdown project. Versions prior to 10.16.1 have a ReDOS bug found
| within the figure caption extension (`pymdownx.blocks.caption`). In
| systems that take unchecked user content, this could cause long
| hanges when processing the data if a malicious payload was crafted.
| This issue is patched in Release 10.16.1. As a workaround, those who
| process unknown user content without timeouts or other safeguards in
| place to prevent really large, malicious content being aimed at
| systems may avoid the use of `pymdownx.blocks.caption` until they're
| able to upgrade.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68142
https://www.cve.org/CVERecord?id=CVE-2025-68142
[1]
https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq
[2]
https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pymdown-extensions
Source-Version: 10.13-4
Done: Dmitry Shachnev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pymdown-extensions, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Shachnev <[email protected]> (supplier of updated pymdown-extensions
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 Dec 2025 22:34:00 +0300
Source: pymdown-extensions
Architecture: source
Version: 10.13-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Dmitry Shachnev <[email protected]>
Closes: 1123173 1123672
Changes:
pymdown-extensions (10.13-4) unstable; urgency=medium
.
* Team upload.
* Backport upstream patch to support Python 3.14 (closes: #1123173).
* Backport upstream patch to fix ReDOS bug in Figure Capture extension
(CVE-2025-68142, closes: #1123672).
Checksums-Sha1:
1b058218e950cd1426f2c4657eaaa64bc8289444 2405 pymdown-extensions_10.13-4.dsc
e8c8fafb01f60197dae8db332b5d46bc6396ab47 5612
pymdown-extensions_10.13-4.debian.tar.xz
55a3b5e3e64f5323462b081246e995d2fbe967d5 8386
pymdown-extensions_10.13-4_source.buildinfo
Checksums-Sha256:
30b91d94b3718105afd36123952594a7ce135fd951f1b6b839864370b7c9de0a 2405
pymdown-extensions_10.13-4.dsc
0acddea287a3b6673ed173155589562bd1f6c44a89fafa42106e0c17cd390f0f 5612
pymdown-extensions_10.13-4.debian.tar.xz
ea85ee751a0b74a3fa3eb28864bb41188c6d9b935767a22caa39a7ab844b7b16 8386
pymdown-extensions_10.13-4_source.buildinfo
Files:
0a18c4996e6f0c10bc4cf850cff45812 2405 python optional
pymdown-extensions_10.13-4.dsc
5da6507e698d8efff760bb2cbf9bad21 5612 python optional
pymdown-extensions_10.13-4.debian.tar.xz
2b1211e0ff342f537ad3d6e58407dd1f 8386 python optional
pymdown-extensions_10.13-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEE8kKZ/xu8kBi5BqTLYCaTbS8ciuAFAmlULb0THG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRBgJpNtLxyK4P3ZEACcIwCoc3J7FNInqqDYKakWHdHd4g7O
ra15UFj7K9HR/t5uk1ztaOc/QxUFh9X7VEjw9jEjd7yyEQAlW4LmnYvOzwtzacTv
1mHeTUVjK06R3y1QlvXV0UgXd29o74Hngy3aQrJ+KYztgDbipKJ0r3IotQPKOyI4
XGYVOTfvk57VNVd2YaYKhGybpHBQfWFSlZjkFuLZstr3a4jf4qL0W0xf5m/LsL7i
qlZYWaFR3838S7x6F8+/UQaPTgHvpTCNDQrbA5sMa+EDJlnwDufV67mMd7HcJ/QA
vR6guCeEgNnTpcoq14WdwnVv6zcrKTRZuB5+5Omwe7aUvxtaw3jXS1lj9lNwWNgo
QV93Vz1D0xaFlI1Pfz6yxf9CT0KYnE/DGbkbQVsgIktnbPwuiIdin1gQmtQhwrN6
UFOlOdTzE9sWeV3dkvkHRA+Ye5oU0IrolBkCY7nK/X8zZ0TGoxkuUv0i5jrLpZll
a8YwkTqY8exC9HkVUICxyuy/aUMeZXu4vt4mWf+CW/9diwrJQ1LnUE+FqyKxjoaH
CdFvgYHJnV6wJZR2BrtXwZPS/msBiQblWbdkIYmA2Fo1qk2v/e5dpBPdxsH+u1k9
Ra7qpGVbtgSoGDu9q9Qlp4+CiL57S4hWaflP08UX9y91ktnnqmRAfbAgCN7MnCHo
gIpKrv2npWEdzQ==
=JFvT
-----END PGP SIGNATURE-----
pgpu_SXacasWf.pgp
Description: PGP signature
--- End Message ---
