Your message dated Tue, 30 Jun 2026 18:17:09 +0000
with message-id <[email protected]>
and subject line Bug#1139164: fixed in python-idna 3.10-1+deb13u1
has caused the Debian Bug report #1139164,
regarding python-idna: CVE-2026-45409
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139164: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139164
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-idna
Version: 3.11-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-idna.
CVE-2026-45409[0]:
| Internationalized Domain Names in Applications (IDNA) for Python
| provides support for Internationalized Domain Names in Applications
| (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
| to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N +
| "\u6f22"` utilize the `valid_contexto` function prior to length
| rejection, and for high values of `N` will take a long time to
| process. This is the same issue as CVE-2024-3651, however the
| original remediation in 2024 was not a complete fix. A specially
| crafted argument to the `idna.encode()` function could consume
| significant resources. This may lead to a denial-of-service.
| Starting in version 3.14, the function rejects long inputs as soon
| as practicable prior to any further processing to minimize resource
| consumption. In version 3.15, this approach was extended to lesser
| used alternate functions (i.e. per-label conversions and codec
| support). A workaround is available. Domain names cannot exceed 253
| characters in length. If this length limit is enforced prior to
| passing the domain to the `idna.encode()` function, it should no
| longer consume significant resources. This is triggered by
| arbitrarily large inputs that would not occur in normal usage, but
| may be passed to the library assuming there is no preliminary input
| validation by the higher-level application.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45409
https://www.cve.org/CVERecord?id=CVE-2026-45409
[1] https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx
[2] https://github.com/kjd/idna/commit/628fef84d3eda59321c21127e73dcd873db23ead
[3] https://github.com/kjd/idna/commit/e1cb465b6376f33306a26f467d197edbcd01c4b9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-idna
Source-Version: 3.10-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-idna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-idna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Jun 2026 20:30:37 +0300
Source: python-idna
Architecture: source
Version: 3.10-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1139164
Changes:
python-idna (3.10-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-45409: DoS from specially crafted inputs (Closes: #1139164)
Checksums-Sha1:
b09666a0b0205247c3ae1043b0200fcc7b24b3fd 2123 python-idna_3.10-1+deb13u1.dsc
fb47f75d124a8141fa1964e3381a40d86d747676 138704 python-idna_3.10.orig.tar.xz
0b14799966867aa4cb3d80e52be2639d174da835 7536
python-idna_3.10-1+deb13u1.debian.tar.xz
Checksums-Sha256:
af02f92bbba247bf01bfcf7842a4d5f17ec5330ca00c07ab61b97193bdfd537e 2123
python-idna_3.10-1+deb13u1.dsc
03af80a86108713070c5b404a22864a5164d7f693c7f7504c2dc839533a184ad 138704
python-idna_3.10.orig.tar.xz
90f8226b18d1c3bcb04f7a3001071c10c293f047146b87b3ce133d49848630f5 7536
python-idna_3.10-1+deb13u1.debian.tar.xz
Files:
50529f0f419c8eee5c7f57e60cf343e5 2123 python optional
python-idna_3.10-1+deb13u1.dsc
8a968e3d8edcfa8757e57bf5d016654f 138704 python optional
python-idna_3.10.orig.tar.xz
07f6cde359180ae31382e178f9f8ae77 7536 python optional
python-idna_3.10-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpAC04ACgkQiNJCh6LY
mLEFIg//RDDOo8Jbttl5oL76w0KYBkvlwID5I+P0G9sXGr/wqaLd2sIWvlkvFMSf
RxCMq/eWb+OTD5Ox+d5YIJoqzzAYKvc4blnAM1RYQDu15uFnuzfEF09KvHurxjeS
+DwMFMfa80rTl6qpx6zDIM0HHHMyYGAW33veYBh8qhg/X4igWG6lg9z17IYmQndm
BFrFBbqovenbQ3BuWOg0wjxAy6krmVCIm4qGLe6sp+vb07EppOfzkJp+mFZR+2Oj
WFysl0Fq8GwV06iphWnQAfdz/EwFR1hKCYjAyTDT0H3RgC4dYj1AsVHTmH5YH2Ez
dcJmsQL3quDbO/E8KoVxRtJQQiSD4GGDaVH588OpEXWaQ9D2NkGsem7b9daLgDOU
DW4LHpQY1tfZhLD8qRS/NVDtyho7anpbtykRIF3rnhivmn9RzBvHFNCOqSZBZ8cm
s6T0t42c2COu3RiMwPAXlqNudhIILZARwaSSQmumYiH/pqS/PAnM5HbVPu6phihB
7aNTKoE+QJcp4bspw6hrH36VG9gqvVkRcLIDS930xIrV/b2eCuQFJ3m6hAwE1Pln
HE2TIIDosGAKFyDIJv1zsC/ZXqcLuJTt/qesnI55R8Lwb4FPmA/PJWwykpvF5tPv
AKgyE655PueK8kX0dzjPhJyRhzWXvxsHYoKT7zN/hzI3zHkb7Uc=
=yXyc
-----END PGP SIGNATURE-----
pgp8zsYydm9dq.pgp
Description: PGP signature
--- End Message ---