Your message dated Tue, 16 Jun 2026 20:47:36 +0000
with message-id <[email protected]>
and subject line Bug#1125190: fixed in python-filelock 3.9.0-1+deb12u1
has caused the Debian Bug report #1125190,
regarding python-filelock: CVE-2026-22701
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125190
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-filelock
Version: 3.20.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-filelock.
CVE-2026-22701[0]:
| filelock is a platform-independent file lock for Python. Prior to
| version 3.20.3, a TOCTOU race condition vulnerability exists in the
| SoftFileLock implementation of the filelock package. An attacker
| with local filesystem access and permission to create symlinks can
| exploit a race condition between the permission validation and file
| creation to cause lock operations to fail or behave unexpectedly.
| The vulnerability occurs in the _acquire() method between
| raise_on_not_writable_file() (permission check) and os.open() (file
| creation). During this race window, an attacker can create a symlink
| at the lock file path, potentially causing the lock to operate on an
| unintended target file or leading to denial of service. This issue
| has been patched in version 3.20.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22701
https://www.cve.org/CVERecord?id=CVE-2026-22701
[1] https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw
[2]
https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-filelock
Source-Version: 3.9.0-1+deb12u1
Done: Matheus Polkorny <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-filelock, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matheus Polkorny <[email protected]> (supplier of updated python-filelock
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 00:24:53 -0300
Source: python-filelock
Binary: python3-filelock
Architecture: source all
Version: 3.9.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Sascha Steinbiss <[email protected]>
Changed-By: Matheus Polkorny <[email protected]>
Description:
python3-filelock - platform independent file locking module
Closes: 1123510 1125190
Changes:
python-filelock (3.9.0-1+deb12u1) bookworm; urgency=medium
.
* Team upload.
* d/patches: (Closes: #1123510, #1125190)
- CVE-2025-68146: Import and backport upstream patch
(A TOCTOU race condition allows local attackers)
- CVE-2026-22701: Import and backport upstream patch
(A TOCTOU race condition allows local attackers)
Checksums-Sha1:
3df0839ed4e217c79a449b5c6d7741a31e88e17a 2101
python-filelock_3.9.0-1+deb12u1.dsc
441aa07fafcdc3592d71167ab4162e46e08da3fa 4880
python-filelock_3.9.0-1+deb12u1.debian.tar.xz
a0f4897c48a8ea8179e1064aab9c7c891e9a0249 7602
python-filelock_3.9.0-1+deb12u1_amd64.buildinfo
caeb1553f9db46c0471d7dee10aa50a0e8e63ac8 10200
python3-filelock_3.9.0-1+deb12u1_all.deb
Checksums-Sha256:
cb188c91384a6559e493f86b927ecee221f4fcfb37350efb54af8b7bb4f3741a 2101
python-filelock_3.9.0-1+deb12u1.dsc
8600b32f2814721098d646fad07d330b53ed8a2577cba0c8f843df40827c3899 4880
python-filelock_3.9.0-1+deb12u1.debian.tar.xz
b976ce595e3aca8e834021fbf20836770582735688438ed69c908b160f5fd5de 7602
python-filelock_3.9.0-1+deb12u1_amd64.buildinfo
749e10150cd85f89044d75a5e0d7a840d12ca011c62bf1068c631c3998569ed5 10200
python3-filelock_3.9.0-1+deb12u1_all.deb
Files:
b34ada907f234bf505861b77060782c6 2101 python optional
python-filelock_3.9.0-1+deb12u1.dsc
a1729f62149e1dd1a505625408e1f32e 4880 python optional
python-filelock_3.9.0-1+deb12u1.debian.tar.xz
e5a845a3a025a66aef876cd6c5a4cf0d 7602 python optional
python-filelock_3.9.0-1+deb12u1_amd64.buildinfo
ed2dccafc2d1871186a33086914d2975 10200 python optional
python3-filelock_3.9.0-1+deb12u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWzS6WqtVB+kDQm6F6NN64vCfSHIFAmotyDIACgkQ6NN64vCf
SHI0DhAAj+eMPEupJoPhkHMGCZdIqd+4eP/sv0gH0z9hkZRVZikSv7pTKJ5MrqfP
Pm1jSMHhO8zWr+sfLQCw1UoT+34rXMNiyP10tAYEietPgVc7VPJ2XWLjq/LX6l/t
GzDNn9+HFb6H1EJP/G5b2zfkS8HQqcK/AwNup1rJbrZJE80uqaJjq2ayCCk5A5h7
fOg2lD2YcvG0OvsABuXO7pWIkLDlrePV9+YojlW506x1tMYhokHmBDpORo9VUbRZ
ZUet0wRQvZxLvutl7LGP9Up7d/zBTAy/fYii9dp+kB1alwnCo9TddwLRgtMCzzZC
2POgSLOugyL2C9+ruQ2VDz1LOAXV7N/ea3Bzh0+DDnxQdiAwuRzXljd7Woa+CoZi
03KRQxks9PYkB/Wxy+Poh9ZrrTE492c6ykEGT6Js8gt7y42sS077URhN/51FTaH7
ZTwYtyfrtbdQtCacO/hZw8/hSONZ3Hc5TO1F577IhjbmWiByRZ06hUsyMBjSbauN
98J9vZj80tfsnTWnU4VJPqAZXL6Hrm5NlM3vMdEXwPU54qIN9g2ZeGZdRy9dVt2H
NxVfDw8rkBJC4Z5cVmgcoZJYfH/o+bXBXyWnS4Bg8hSEtPGTvFYtyk+uVO8dogqh
LGJ5fNHdJH3vLr7+vPGlzGu44EyJismSLnzw6/It/obQaxWqatk=
=Afb8
-----END PGP SIGNATURE-----
pgp7rJ0y0UwsX.pgp
Description: PGP signature
--- End Message ---
