Your message dated Thu, 25 Jun 2026 09:18:46 +0000
with message-id <[email protected]>
and subject line Bug#1139164: fixed in python-idna 3.11-1.1
has caused the Debian Bug report #1139164,
regarding python-idna: CVE-2026-45409
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139164: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139164
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-idna
Version: 3.11-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-idna.
CVE-2026-45409[0]:
| Internationalized Domain Names in Applications (IDNA) for Python
| provides support for Internationalized Domain Names in Applications
| (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
| to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N +
| "\u6f22"` utilize the `valid_contexto` function prior to length
| rejection, and for high values of `N` will take a long time to
| process. This is the same issue as CVE-2024-3651, however the
| original remediation in 2024 was not a complete fix. A specially
| crafted argument to the `idna.encode()` function could consume
| significant resources. This may lead to a denial-of-service.
| Starting in version 3.14, the function rejects long inputs as soon
| as practicable prior to any further processing to minimize resource
| consumption. In version 3.15, this approach was extended to lesser
| used alternate functions (i.e. per-label conversions and codec
| support). A workaround is available. Domain names cannot exceed 253
| characters in length. If this length limit is enforced prior to
| passing the domain to the `idna.encode()` function, it should no
| longer consume significant resources. This is triggered by
| arbitrarily large inputs that would not occur in normal usage, but
| may be passed to the library assuming there is no preliminary input
| validation by the higher-level application.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45409
https://www.cve.org/CVERecord?id=CVE-2026-45409
[1] https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx
[2] https://github.com/kjd/idna/commit/628fef84d3eda59321c21127e73dcd873db23ead
[3] https://github.com/kjd/idna/commit/e1cb465b6376f33306a26f467d197edbcd01c4b9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-idna
Source-Version: 3.11-1.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-idna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-idna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Jun 2026 17:01:51 +0300
Source: python-idna
Architecture: source
Version: 3.11-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1139164
Changes:
python-idna (3.11-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-45409: DoS from specially crafted inputs (Closes: #1139164)
Checksums-Sha1:
723302442994ff8676719bae5196c168224992c3 2097 python-idna_3.11-1.1.dsc
cf3722da461dc4bc8da5accca32304b8e35bce02 7572
python-idna_3.11-1.1.debian.tar.xz
Checksums-Sha256:
8a5fd52eddff7946d75557f7d1c2c87274196185dd6b163a8572cb275f066947 2097
python-idna_3.11-1.1.dsc
443da84b88ad892f74f18a3090295d34f6b3e91edfe55d94dccd0e0aa06d5240 7572
python-idna_3.11-1.1.debian.tar.xz
Files:
5318080156a5f34e89017e4e0ccbaa3f 2097 python optional python-idna_3.11-1.1.dsc
141dca738cd6565b7b1d8e8555aae815 7572 python optional
python-idna_3.11-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo6k9EACgkQiNJCh6LY
mLEdGRAAlfjw2C+UsyLGq4SCPknEr1KOdCtT6nMe7/YF+t+EwZEHz8DqAQGQMUFF
DXRSEUkGySXDgaN64ThCCaytbhQ0P3IdsP+p2dvQLaFf4muTO1fhUrS4R5JFSvpN
ikY1sRz92949tCW0B4hgc27SO7DrU/d0At6shGms8j89IIcDV1kOf88w5jHvFiZ7
CfGZidpnVnsuY1A+vUxALaCR7r0I+eSNbkMV7bK7yThdr2Y/AUCIK30Jfxxv6k1t
X6zFeMHkLyDsRhUUoLrxe8P9LMBt5ax2iLZ6nkLONP8N5EE6VRn+a70D5AgiaFu9
iQ2kDx/JK1iPP3DZFi+8BiQnn68fB7zMfQprtH0S3z8yA9DSeaPk/h6vXeIYY2Of
Et+6KHRIyGvaY88ttsiBroaJOxwGWGRTQCopH+Tm6WAUARfnSgODtVNv7flal9xk
sa43LFFPtPbqE7oj95M4SNFZRn6nF9aHrssUQ8BipqHR6ZtAKNwZWm18i7NFq6qB
28lVU+JD1oddVA7owSTLH6ksS4kApgJ4l9i0xPbpNddYAZNCAakUx3JCTqiWB3DC
IuA8dC9qzgzQZ5be+EWWUcfxEGjUanym1CmQfJuwxifesolPF62n1z2/JHIvjBj8
A/4xEMUnFPtCnlqKrKfvfGt9pGSiuog+iiWK4HvPSteU7HYpU6I=
=7FFG
-----END PGP SIGNATURE-----
pgpQ_EC_fxGmb.pgp
Description: PGP signature
--- End Message ---