Your message dated Thu, 07 May 2026 04:34:01 +0000
with message-id <[email protected]>
and subject line Bug#1131472: fixed in deepdiff 9.0.0-1
has caused the Debian Bug report #1131472,
regarding deepdiff: CVE-2026-33155
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131472
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: deepdiff
Version: 8.6.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for deepdiff.
CVE-2026-33155[0]:
| DeepDiff is a project focused on Deep Difference and search of any
| Python data. From version 5.0.0 to before version 8.6.2, the pickle
| unpickler _RestrictedUnpickler validates which classes can be loaded
| but does not limit their constructor arguments. A few of the types
| in SAFE_TO_IMPORT have constructors that allocate memory
| proportional to their input (builtins.bytes, builtins.list,
| builtins.range). A 40-byte pickle payload can force 10+ GB of
| memory, which crashes applications that load delta objects or call
| pickle_load with untrusted data. This issue has been patched in
| version 8.6.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33155
https://www.cve.org/CVERecord?id=CVE-2026-33155
[1]
https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q
[2]
https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: deepdiff
Source-Version: 9.0.0-1
Done: Andreas Tille <[email protected]>
We believe that the bug you reported is fixed in the latest version of
deepdiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <[email protected]> (supplier of updated deepdiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 06:17:46 +0200
Source: deepdiff
Architecture: source
Version: 9.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Andreas Tille <[email protected]>
Closes: 1131472
Changes:
deepdiff (9.0.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version
Closes: #1131472
* Update Homepage
* Update Source
* d/watch: version=5
* Standards-Version: 4.7.4 (routine-update)
* Reflow Uploaders field (cme)
* Remove Priority field (cme)
* Set upstream metadata fields: Documentation, Repository, Repository-Browse.
Checksums-Sha1:
d1237130c3baf082066b78f29afed81496ec7f42 2364 deepdiff_9.0.0-1.dsc
89b3630bb81ab5c6e32303ae94deec757b418c8c 671256 deepdiff_9.0.0.orig.tar.gz
655f3dbe778b5bdca14c14fea3c45365edaac387 4088 deepdiff_9.0.0-1.debian.tar.xz
b87b94f2dfc1bd993478c8a632be293621dc8931 8445 deepdiff_9.0.0-1_amd64.buildinfo
Checksums-Sha256:
4d266f95f797bae0aa3034839c408c6e6af7a93ac36b4f040b3d3490b5622b98 2364
deepdiff_9.0.0-1.dsc
94787b9b7c247950641169800b1fbc407ecefa845c63cd0e72c1d8fc975dbabb 671256
deepdiff_9.0.0.orig.tar.gz
f1443b92e95c2b709ac4aa76983d8c0f4a9d54e6d168b86e9be50fccb778ead7 4088
deepdiff_9.0.0-1.debian.tar.xz
69603dcbc7c478d1c6fd8d1f820cd956060db15268acd298204eb67633061e06 8445
deepdiff_9.0.0-1_amd64.buildinfo
Files:
8612cfc8ee9017c1e626d3c19200d601 2364 python optional deepdiff_9.0.0-1.dsc
8b0d3e5b27f890465b2e735400f157f6 671256 python optional
deepdiff_9.0.0.orig.tar.gz
7482fb624a654afcaa52d1cf71ea6898 4088 python optional
deepdiff_9.0.0-1.debian.tar.xz
f03032b2ebb2095bf438c348746075b0 8445 python optional
deepdiff_9.0.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmn8EyYRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtHPUw/9HbTJbtyL3hequZHhbURb3nKwA25Oo5/z
VGM1VOCqFzVxmXbRL3Kd2M9SU28hRwICKZ9w9dPSXz3nWo6hwm4jj7Q4Ql69ncO2
HNJTuyW1uhxdRmuGyaAxKgt2tmillSGCMbpvIBysqJV8zcKm2P2Q44YN1fk+j4hK
4msT+9ECfefkVChfxNKlN5O4csc10/zyzWgJeZR5rLpl4slqstRllJbR/Uvh8jq3
vagA6Wz2vYyY/IFFFAwtuPWmyWNqfwiy5DSTEtLD/sHDLIXuXBggGJNNrjgl57w/
NnITZ5jALKBQZRcCFTcRLhFs9Vt8hclk58jAopkW5yuqcAfjWhXHNeAsMMWdWqzO
z1ABEwkt1Fw0BKz5w7QZyhzTzG6sOxX0SxZGciZvDE41OqTABOIDuGBPKNVa5Ct0
v32qxVrEjEIViwsAC9N2AykWz3XwJCMagpbldzTxDfCvj5Ht97ikco/J5q1ZVcMv
mhnIakkKpGpK36cAV5fDIU3H4dhhBurIelNQY0pXAL9Sc9ICcZZ1E9+CBBqfvjOz
ZlZ5Ik9b4r4wBNw5WCgrPnuESm/r3aFopH5gAnPLksQT5KSuj/lo/myHrX/G59Hw
Ch8DalEiSSCzxE7fp2N3buXRFXuuJKRBOQHm8rDytjf8god2pEsYqX2mOSsOC05c
vj5f2hzNBPI=
=XP/a
-----END PGP SIGNATURE-----
pgpULwX8C8LLI.pgp
Description: PGP signature
--- End Message ---
