Your message dated Sun, 21 Jun 2026 14:33:53 +0000
with message-id <[email protected]>
and subject line Bug#1126302: fixed in protobuf 3.21.12-16
has caused the Debian Bug report #1126302,
regarding protobuf: CVE-2026-0994
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1126302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126302
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: protobuf
Version: 3.21.12-15
Severity: important
Tags: security upstream
Forwarded: https://github.com/protocolbuffers/protobuf/issues/25070
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for protobuf.

Filling a bug mainlly for tracking for now the upstream issue. Need
closer assessment.

CVE-2026-0994[0]:
| A denial-of-service (DoS) vulnerability exists in
| google.protobuf.json_format.ParseDict() in Python, where the
| max_recursion_depth limit can be bypassed when parsing nested
| google.protobuf.Any messages.  Due to missing recursion depth
| accounting inside the internal Any-handling logic, an attacker can
| supply deeply nested Any structures that bypass the intended
| recursion limit, eventually exhausting Python’s recursion stack and
| causing a RecursionError.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-0994
    https://www.cve.org/CVERecord?id=CVE-2026-0994
[1] https://github.com/protocolbuffers/protobuf/issues/25070
[2] https://github.com/protocolbuffers/protobuf/pull/25239

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: protobuf
Source-Version: 3.21.12-16
Done: Laszlo Boszormenyi (GCS) <[email protected]>

We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated protobuf 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Jun 2026 15:36:07 +0200
Source: protobuf
Architecture: source
Version: 3.21.12-16
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1126302 1134895
Changes:
 protobuf (3.21.12-16) unstable; urgency=medium
 .
   [ Adrian Bunk <[email protected]> ]
   * Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302).
   * Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895).
Checksums-Sha1:
 8008be478cbff43043aedfd5c7d725f42889cff4 3073 protobuf_3.21.12-16.dsc
 af34331566c514742aa230acf04ffb285be4f79a 49176 
protobuf_3.21.12-16.debian.tar.xz
Checksums-Sha256:
 17d46b94cf664e3711bf63b6847d14db255c77035a96603f56469c76a1866573 3073 
protobuf_3.21.12-16.dsc
 30b0925b802e58cb4883dd414f64dfbc50b139893da7f65c3a9f42a97a785f82 49176 
protobuf_3.21.12-16.debian.tar.xz
Files:
 a6b7b363a7928e08f442575be04dfb0d 3073 devel optional protobuf_3.21.12-16.dsc
 40351a274987c4cc79f0ec85be30b1ed 49176 devel optional 
protobuf_3.21.12-16.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo375cACgkQ3OMQ54ZM
yL+Fuw//YLOgc61F7SHcGv7YY0+v9qNSBap4wrLVxed098qUKnSE8LJtBoC8i8TX
d36ZkRr3HZ1NqZYZmSAw/iFtdGYKfx2cjNn+iH12D0X+ARE2u6A/g3q/ejxqgz+o
xQ0085kzkuGTFV3Q0e44s3XvX7cvjghD4/AfqgElOOLo1oZC1U9HNHMWNu6sfzXX
45dnaq1TWk6J3arNbwGETLogP1O4BlzQS8gjGRTujq2ijA9gG8ZMoGpoXgo+c3n8
g5PO0LpukfhnkC0EAohiwdjGajh2xu/OH93+mQapLRmAX20AC6U9/xQJktO5c1SS
TkPgVGOq6K9mmGo5cNeYpxBBIxytWSibQUSIStdymE6YQg/S9Lz6DidrYAIlyjit
+U79nQAl1WwxImYcMl58YZ7+zLEFB3GmlDX2xeWQcaT+uD7GBfr5ywEKo/btKmZW
yow3gVi3eO7C9T6i74EUfBNSYWGk7GgCaTnNcq3tRlD0ip6q9m0dmTdQn1hMB4gS
DP6URRHzl6FVPWkmzCbx2ZLeHqz5mvxcdklEFGKr4PYqTX/cpRoeLGQ8xkaKcViL
RgPBVE5LJe6fCoyNM0bhkJ1BB3t9Qc23ZqZrcCFjp8LsARY1f7mB2UMh8rYnfi/V
BAzrgh9REeVzbjRLpiJVgLKUjF3NPxoVTb9weO0JfiUKNouQaMg=
=KgAU
-----END PGP SIGNATURE-----

Attachment: pgpRYfHVydw1d.pgp
Description: PGP signature


--- End Message ---

Reply via email to