Your message dated Sun, 28 Jun 2026 17:10:02 +0000
with message-id <[email protected]>
and subject line Bug#1140427: fixed in python-urllib3 2.7.0-1
has caused the Debian Bug report #1140427,
regarding python-urllib3: CVE-2026-9375
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140427
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.6.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-urllib3.

CVE-2026-9375[0]:
| urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass
| in its streaming API (`preload_content=False`) when using Brotli
| support. The issue arises due to three independent code paths in
| `response.py` that bypass the `max_length` protection introduced in
| version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative
| `max_length` values can be produced due to buffer arithmetic in
| `read()`, `flush_decoder` unconditionally overrides `max_length` to
| `-1`, and `_flush_decoder()` passes no limit at all, defaulting to
| unlimited decompression. This allows a malicious HTTP server to
| trigger an out-of-memory (OOM) condition by decompressing large
| payloads into memory, leading to a denial of service (DoS). The
| vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts
| applications and libraries using `requests` or `urllib3` to stream
| content from untrusted sources.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-9375
    https://www.cve.org/CVERecord?id=CVE-2026-9375
[1] 
https://github.com/urllib3/urllib3/commit/2bdcc44d1e163fb5cc48a8662425e35e15adfe6a

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.7.0-1
Done: Colin Watson <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-urllib3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Jun 2026 17:48:21 +0100
Source: python-urllib3
Architecture: source
Version: 2.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1136654 1140427 1140932
Changes:
 python-urllib3 (2.7.0-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release:
     - CVE-2026-44432, CVE-2026-9375: Decompression-bomb safeguards bypassed
       in parts of the streaming API (closes: #1136654, #1140427).
     - GHSA-qccp-gfcp-xxvc: Sensitive headers forwarded across origins in
       proxied low-level redirects.
   * Don't parameterize tests using non-Collection iterables (closes:
     #1140932).
Checksums-Sha1:
 bdc98fc6d80d8ca75438e5accfeb40eb5d1ded73 3007 python-urllib3_2.7.0-1.dsc
 c57dd149bed207e691060def264da11e3508a0b0 433602 
python-urllib3_2.7.0.orig.tar.gz
 dc5385e24d52a8f80bf9ba4d4fa7c4846257b8f1 38660 
python-urllib3_2.7.0-1.debian.tar.xz
Checksums-Sha256:
 ad525911bd26220ccdfd61d16dc775cfce30308214bed9b9c4834a1441ac4b44 3007 
python-urllib3_2.7.0-1.dsc
 231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c 433602 
python-urllib3_2.7.0.orig.tar.gz
 5449700f4f5688181c73a6fdca4393ef5ad85019955f1f8459630ca83691dd88 38660 
python-urllib3_2.7.0-1.debian.tar.xz
Files:
 efd40c01b6fc9854625309734d92ff2f 3007 python optional 
python-urllib3_2.7.0-1.dsc
 e79707b798a66c8165c9c441440f4e80 433602 python optional 
python-urllib3_2.7.0.orig.tar.gz
 206bb4386a118e25ba1e5ef07f19a846 38660 python optional 
python-urllib3_2.7.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmpBUIUACgkQOTWH2X2G
UAuUBhAArl/xOxFEn9+tscBTp5+8I4qEUj9G0atcR5air4xEWlM/qA8XcowSMLdJ
JfAWruEznXJ7wWxTDMRPneM0efzmjj6GAirde438DrEEbXuacOVLUswfocJOGLgk
6JYsjeLpLvk8LE9ojal0TRzxijGmsH3HPKCdY9ly8lr8miHqLCL9tAkICiJegz/C
Z36uas+3jn4e3x1j0S88IZfoE5teaoIOWJHTUovh+9UmeKnLhq/iCV1RDim5xJwl
n8SXiRk9SJmJybJSD2lR9LezTE572tIp1TCm7+cu93+OvYuQ3JmrVFl3KBPQ50wF
z/TJ8YXhR5X3BM+lydx8nzkcjFyU/i6zZeNGX1Krr/Wr3O8qFPWBMYzh900rn8zv
7KBw48hN+ZeHK6wp5bex716AXhDRhiPFK0dMh+ptqUOV1d99k4UEKD/iJzC4ZHcL
koHsUg6IZMqOFPlkibcpKoGTit8nJyO65AW8KuyTmPiEznLHETwxltXX20D5Kuam
8Ru1UTcYsssvI+KsxtkXlUhwU3Ut0H7iV3eKf2srwQT5Cgp0nOvJRM2J49FN2dwa
Uho/dMCi7FB9M3CwiIekDbKn43lu+cNYaKZjc5pjhRtnfoIUoZOfo9WNs4t0S84r
H873h95Rt1DxMBn1YdtJIFVWsTgxZ4XUUq0LGVLk0X5MT8aabpA=
=U8Ze
-----END PGP SIGNATURE-----

Attachment: pgpMAlEkDJ5RW.pgp
Description: PGP signature


--- End Message ---

Reply via email to