Your message dated Fri, 20 Mar 2026 17:18:46 +0000
with message-id <[email protected]>
and subject line Bug#1131371: fixed in pyasn1 0.6.3-1
has caused the Debian Bug report #1131371,
regarding pyasn1: CVE-2026-30922
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131371: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131371
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pyasn1
Version: 0.6.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pyasn1.
CVE-2026-30922[0]:
| pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the
| `pyasn1` library is vulnerable to a Denial of Service (DoS) attack
| caused by uncontrolled recursion when decoding ASN.1 data with
| deeply nested structures. An attacker can supply a crafted payload
| containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`)
| tags with "Indefinite Length" (`0x80`) markers. This forces the
| decoder to recursively call itself until the Python interpreter
| crashes with a `RecursionError` or consumes all available memory
| (OOM), crashing the host application. This is a distinct
| vulnerability from CVE-2026-23490 (which addressed integer overflows
| in OID decoding). The fix for CVE-2026-23490
| (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion
| issue. Version 0.6.3 fixes this specific issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-30922
https://www.cve.org/CVERecord?id=CVE-2026-30922
[1] https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
[2]
https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pyasn1
Source-Version: 0.6.3-1
Done: Alexandre Detiste <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pyasn1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexandre Detiste <[email protected]> (supplier of updated pyasn1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Mar 2026 17:52:40 +0100
Source: pyasn1
Architecture: source
Version: 0.6.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Alexandre Detiste <[email protected]>
Closes: 1126615 1131371
Changes:
pyasn1 (0.6.3-1) unstable; urgency=high
.
* New upstream version 0.6.3 (Closes: #1131371) with fix for
CVE-2026-30922: Denial of Service attack caused by uncontrolled recursion
* Add myself as Uploader
.
[ Francesco Poli ]
* update Homepage (Closes: #1126615)
Checksums-Sha1:
8c09fe53b9e06bec30c45bdbb95bf2023b404fe3 2315 pyasn1_0.6.3-1.dsc
4cc34118ea35accf6b1d1286a1a7d8c5671a7fb6 148685 pyasn1_0.6.3.orig.tar.gz
eeb2b72b5329a6d35e40a8aa70b21ab762bd24ec 6260 pyasn1_0.6.3-1.debian.tar.xz
f36135eafcb441eb0b95246c910d2dc2f2dd99f5 8083 pyasn1_0.6.3-1_source.buildinfo
Checksums-Sha256:
cd1af0a0d5f4b611eea9841dda9f966dd8a4a80853ff897fc3cd75d3a18dd9ec 2315
pyasn1_0.6.3-1.dsc
697a8ecd6d98891189184ca1fa05d1bb00e2f84b5977c481452050549c8a72cf 148685
pyasn1_0.6.3.orig.tar.gz
7af843a29631f291f6219b8a0f793477409f15b40e778fe9a78e5df76312aec6 6260
pyasn1_0.6.3-1.debian.tar.xz
cd8902b1c0d8c7742a0cd120f1eb970566eada1456de652185968c42ae254e56 8083
pyasn1_0.6.3-1_source.buildinfo
Files:
cdf61d4105601ec39fb04e50ccce4020 2315 python optional pyasn1_0.6.3-1.dsc
b7a8127ed5fc251943e47dbef51ea6c8 148685 python optional
pyasn1_0.6.3.orig.tar.gz
eea9cfc55768feb0310fcda4bd1b392c 6260 python optional
pyasn1_0.6.3-1.debian.tar.xz
dedc70a82c034f908257d597cce75d1b 8083 python optional
pyasn1_0.6.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmm9fnYRHHRjaGV0QGRl
Ymlhbi5vcmcACgkQMfMURUShdBqtTw/8C7jITwAm38wlMyOz9amXpHAkGaa4H22u
lQ+ztW/zkWe4ySxMJ8QIXdtCUcpqQCknqo3XvgfKZqfXKKmTcnp0hu/31RbXADce
RrBYvIrlpBAXR8NtM8eJJ3rupM0La4mihAB86en2XVZt+Cz6rGzEO1vv33WW38Yu
bMFn1C/Mf+x60+CwYKdSo0H6PL+b2whs1dsBg1NC3YjpozMWkOghsZKWPDkIQNRZ
wnvMvQhzwDXAIU8sYVSD3Up4cg25gBcMsfnMPvDFgNw0bc3xDYDelfWSYEIB3stB
/pWsQfA9HMCmVhAMnBzOUVZKrB3aVF+zWcubUzQR36wmvn6Kzn9QiQbLpgp19qej
YYb/j3pqBAiwdTPKK+w7FnPqVj7cireCQF2w/TYR5NlTSPh2/gPnANxdQQz8087z
bCXf50qsUNqcMkmGETJQRDRRJAoDT36ym0Wcr9YrUJCujuTuvkyCwdpar16KLIbJ
imwuJt/7lhzJpKR8AVS/5S4UpDjlaMZ5rz6oxXx8p9ISpUDQo7n+230AVJxXvYiq
fycUYsEPZMaf79fsFrjOYvWZMiuc9ceVQJwaWnpOvkp7bZoTcH9YNWJxBg3Iefiz
mJYqIiARiBSDrcdLoHE8pF+nyGjTaTnebC6CvH3Q46kT2JVjCMYlrOXe1+u9m+Q5
LrTFj07bQZE=
=RvWt
-----END PGP SIGNATURE-----
pgpuGgfLara70.pgp
Description: PGP signature
--- End Message ---
