Your message dated Tue, 30 Jun 2026 18:17:10 +0000
with message-id <[email protected]>
and subject line Bug#1123888: fixed in python-marshmallow 3.26.2-0+deb13u1
has caused the Debian Bug report #1123888,
regarding python-marshmallow: CVE-2025-68480
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123888
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-marshmallow
Version: 3.26.1-0.2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-marshmallow.
CVE-2025-68480[0]:
| Marshmallow is a lightweight library for converting complex objects
| to and from simple Python datatypes. In versions from 3.0.0rc1 to
| before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data,
| many=True) is vulnerable to denial of service attacks. A moderately
| sized request can consume a disproportionate amount of CPU time.
| This issue has been patched in version 3.26.2 and 4.1.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68480
https://www.cve.org/CVERecord?id=CVE-2025-68480
[1]
https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-marshmallow
Source-Version: 3.26.2-0+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-marshmallow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-marshmallow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Jun 2026 11:20:03 +0300
Source: python-marshmallow
Architecture: source
Version: 3.26.2-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Federico Ceratto <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1123888
Changes:
python-marshmallow (3.26.2-0+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-68480: DoS with Schema.load(many) (Closes: #1123888)
Checksums-Sha1:
cd8872db2718f6df9682c57f5922fc620325d9b6 2557
python-marshmallow_3.26.2-0+deb13u1.dsc
4723ed1ab4eb781c8944bba927dcb0d6c9b9d6fc 228719
python-marshmallow_3.26.2.orig.tar.gz
3fc8097dbf18d08eddf1da842d74e28a5de86545 4388
python-marshmallow_3.26.2-0+deb13u1.debian.tar.xz
Checksums-Sha256:
9d18d4a376f76eb46378e66fbf68bb203c275706c8eed25229b78e33c8a5470e 2557
python-marshmallow_3.26.2-0+deb13u1.dsc
e7ef0de731e51668a6ea5c05cfc8faabd51a1d0d9f75bd3ee0d17009134cbce4 228719
python-marshmallow_3.26.2.orig.tar.gz
5f29add783163ff018b86ad17fec272cc63489ea0294184cb8c6f6ce44e93b11 4388
python-marshmallow_3.26.2-0+deb13u1.debian.tar.xz
Files:
b8dc48b35e71354beb56ba6a67691b4e 2557 python optional
python-marshmallow_3.26.2-0+deb13u1.dsc
e46d5bed6abece9454c32f0978b67118 228719 python optional
python-marshmallow_3.26.2.orig.tar.gz
d8cda6a69622215c8abac887e1d78271 4388 python optional
python-marshmallow_3.26.2-0+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpA8u4ACgkQiNJCh6LY
mLFkMw/+O/5wHAX2sh835YeCk5qChFX3AwzIyXcGLqvtn3ft2BKJCj4v9h1w+/bU
JVdOdgpF2J3Xv16iOvfbvKDL/JzGAUyo3xEJZ+03fWh1MKst1+O48P7nYHBo7Ygo
XRlTLqnracULp61NJ8zRZ+a00ULbb6vM6247NM3AA/2+MiIHIkKZU+wWvJcyE++h
tBK9ewOljwGroTBTbxFkBnupG2LHJPHcgWQlUqJSFuHhMM4+uqv9rpo6BfS+YL02
8PACBuiJN7/f469Y0x0bnb7LoN4z6vG6Ze3gFEqYS+3Mw34ynXTNimPizj3MbNDE
Yh2gdbI+YtlCdIzbE734/lB1UhDvfWYBhTapyzCJR7LNxvPpe+Sc2746oTdd0Zqq
ODkB0dMoDlKkhrllNL+fuI0Q2FKHKpa9aBkiRhr87ls9fV6A5tGr40pp73IH/kSx
GkXG6lyVt3z/RRcHX4micjlE5f7zgarn0EevPf2vJBDXs9i/M6gkMmNoCRJRUaF1
UOxSUbEqsd3Qx4ZP7kBlXBmKMfPGpzzs+AbRpqmHelJASUo4GFZPxlu4SLvylPZo
oVWHGoqr6WUcdXDfnCKpv1DQnY6VYu5zUCSq2UyhVn7yifa33PEuJsuGdzr1KT0C
p2vFYq9iFRPEU67/zjqbS3pgH/yMHSJ80ID5UIbWDT8n6ievCOg=
=1JAQ
-----END PGP SIGNATURE-----
pgpQo9CCKJeME.pgp
Description: PGP signature
--- End Message ---