Your message dated Fri, 06 Feb 2026 01:05:07 +0000
with message-id <[email protected]>
and subject line Bug#1122743: fixed in python-urllib3 2.6.3-1
has caused the Debian Bug report #1122743,
regarding python3-urllib3: Brotli DecodeError with chunked transfer encoding:
"can_accept_more_data() is False"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122743
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-urllib3
Version: 2.5.0-1
Severity: important
Forwarded: https://github.com/urllib3/urllib3/issues/3734
Hi,
I'm filing as important because I'm not sure how widely the problem is.
There's apparently an issue in urllib < 2.6.2 with brotli >= 1.2.0
I have python3-brotlicffi installed (because of a calibre dependency)
and it is at version 1.2.0 while python3-brotcli is still at 1.1.0 (see
below), and it seems to trigger the bug.
There's an upstream issue at
https://github.com/urllib3/urllib3/issues/3734 which is apparently fixed
in 2.6.2, if you could update it in Debian?
Note: I'm not sure why the bug wasn't filed and fixed in brotcli, I'm
merely forwarding the upstream bug here :/
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'),
(450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.17.9+deb14-amd64 (SMP w/14 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages python3-urllib3 depends on:
ii python3 3.13.9-2
Versions of packages python3-urllib3 recommends:
ii ca-certificates 20250419
Versions of packages python3-urllib3 suggests:
ii python3-brotli 1.1.0-2+b9
ii python3-cryptography 46.0.1-1
ii python3-idna 3.10-1
ii python3-openssl 25.3.0-1
ii python3-socks 1.7.1+dfsg-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.6.3-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Feb 2026 00:37:49 +0000
Source: python-urllib3
Architecture: source
Version: 2.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1122029 1122743
Changes:
python-urllib3 (2.6.3-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2025-66471: Fixed a security issue where streaming API could
improperly handle highly compressed HTTP content ("decompression
bombs") leading to excessive resource consumption even when a small
amount of data was requested. Reading small chunks of compressed data
is safer and much more efficient now (closes: #1122029).
- Fixed HTTPResponse.read_chunked() to properly handle leftover data in
the decoder's buffer when reading compressed chunked responses
(closes: #1122743).
* Bump Build-Depends/Suggests on python3-brotli to >= 1.2.0 to improve the
fix for CVE-2025-66418.
Checksums-Sha1:
d5e3ad6373360c72f77d74cf9a0c32e1dd16c6ea 2962 python-urllib3_2.6.3-1.dsc
31cb9b89e7b94424580b1d80d4459d36ba7b52c2 435556
python-urllib3_2.6.3.orig.tar.gz
d7daa88d40df10aabbb20fcbe1e24ae1c8a39b73 38172
python-urllib3_2.6.3-1.debian.tar.xz
Checksums-Sha256:
421ea1b5674fbc0580bb159856a6ea81224f58dce6c98d305549d98b61a34a67 2962
python-urllib3_2.6.3-1.dsc
1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed 435556
python-urllib3_2.6.3.orig.tar.gz
f4de7d8e6cfc6b6141b22ed1bee7f143d6f1b5150bd8ad4e77280d66d17ee4ac 38172
python-urllib3_2.6.3-1.debian.tar.xz
Files:
f7ee52094ad0e63c20275c8fe55eb7f4 2962 python optional
python-urllib3_2.6.3-1.dsc
2c381874816fe551f50a2551abae62b3 435556 python optional
python-urllib3_2.6.3.orig.tar.gz
bf11c7414e82546a8ed9b58c293ca74e 38172 python optional
python-urllib3_2.6.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmmFOMgACgkQOTWH2X2G
UAuocw/8Dm0fX3rx24wfz1GcvUzcehQv/1Mh2pHgOUGT1/m3vyhaBcY0UryG548g
4HHxi14q98nYcK6jbriUjJEvc01n7ndec72qLa3e+Wqa2wHCgCQQoiKpeHLRPyNi
x/Kl5Su1U1qg7qbqqQ2p5Qe6SajipeD1eHhCW85O3FKEFhTgat/iNacjRMEIJPpl
GoauBUQuU5ezE2JBuGF6jOKz3RN0EFIO38BAIOVkq6yp4O1iLU27CMCk5i4Lyo8D
uHDWsJI7kPdn+TRIMjPC+HrzonLduJ4RTQLlNPf6y72Pt2Wq7EPO3VDoRPq5pqdE
cFkA3PGSbDT81UcuObmZzHwFvd3M2bCHEzK6VEIuqevaZapKFKaAV4Bx7oNlur/q
TM0kTCgnitVlX65xDI2QS/NLVQGHjnGSnc1yDspBV9IQ2+Cfs721yyp8KpMJ/T/6
QQouuJrSX3ldO54McZ+vIllhLb9mzQhkPL9zaHqfTJZUuYgX1s8vwHtwdTLQtG9b
jKIm2GNRb8Cc0Dlxk9j+L5BJsKnH13Uw1U3YS3g5cgkfOsjP+LTuMhfOd0REVdpm
plAtcLqjycPNnINCo5v3hhpNS1RYBk6CMzYxhwiaQDLiDjv930stUpC5E/or4fmu
YauFz2sXyuIOSw/H9PxFnFE8GyB0HM/vTYlCo6wtEqyrkPDxQH8=
=DrGi
-----END PGP SIGNATURE-----
pgpe_fPgcroMu.pgp
Description: PGP signature
--- End Message ---
