Your message dated Sat, 04 Jul 2026 11:32:21 +0000
with message-id <[email protected]>
and subject line Bug#1108057: fixed in protobuf 3.21.12-3+deb12u1
has caused the Debian Bug report #1108057,
regarding protobuf: CVE-2025-4565
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108057
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: protobuf
Version: 3.21.12-11
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for protobuf.
CVE-2025-4565[0]:
| Any project that uses Protobuf Pure-Python backend to parse
| untrusted Protocol Buffers data containing an arbitrary number of
| recursive groups, recursive messages or a series of SGROUP tags can
| be corrupted by exceeding the Python recursion limit. This can
| result in a Denial of service by crashing the application with a
| RecursionError. We recommend upgrading to version =>6.31.1 or beyond
| commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4565
https://www.cve.org/CVERecord?id=CVE-2025-4565
[1]
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: protobuf
Source-Version: 3.21.12-3+deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated protobuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 22:51:59 +0300
Source: protobuf
Architecture: source
Version: 3.21.12-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1082381 1108057 1126302 1134895
Changes:
protobuf (3.21.12-3+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302).
* Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895).
.
[ Hlib Korzhynskyy <[email protected]> ]
* Complete fix of CVE-2024-7254 (closes: #1082381):
- add recursion checks and recursion limit,
- add tests.
.
[ Laszlo Boszormenyi (GCS) ]
* Fix CVE-2025-4565: data containing an arbitrary number of recursive
groups, recursive messages or a series of SGROUP tags can be corrupted
by exceeding the Python recursion limit (closes: #1108057).
Checksums-Sha1:
40bed51d97a6ea71e7ed41c1d07424403a31a348 3106 protobuf_3.21.12-3+deb12u1.dsc
30d1134509211b033bbd70b82053866534eac22a 46240
protobuf_3.21.12-3+deb12u1.debian.tar.xz
Checksums-Sha256:
22e31f6dfc06d85a9054bf19603a412698c0d2f760a754650cd2385ea303cee0 3106
protobuf_3.21.12-3+deb12u1.dsc
49cdad49801545cb797355af19fbd6b3627084c6549f629512faaa4e25dd5647 46240
protobuf_3.21.12-3+deb12u1.debian.tar.xz
Files:
ee87dee64901a13289e4548203501121 3106 devel optional
protobuf_3.21.12-3+deb12u1.dsc
e8580bcac9651c4bedd80b25b9df28e0 46240 devel optional
protobuf_3.21.12-3+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpG0hQACgkQiNJCh6LY
mLEwTw/+KWTiTx+cy/hJZPQh1fnC9ieCkBD5aJ4kc/5QvBDCbGxyleUsoMG2JGTp
Y1oOgW+kxfuc7CI2sxNzuwEZBMTxes+9OHxGuozDonKkfsU6A12mUtTh7LgHUGqH
FP3f2xjqn4THuwyJm+oEPPQ5l6PqCiPa0aO1SLBeD/VpjyhxD/pF8QpyPJOVIk3z
Hzkkxbaeo+UBBW7eQ4fuR8fJ++8lzo9lBuBYTo43QhOyE+2pQXJCuidwPISZBj4V
7JTrk9XwjyxuZUVNbW/THbJ28g15yJDABjzNxREs2HDEB93N02Y4RoFCkT+C3Vly
s8UUinAOtrmNwdoaP9GQI0oyhTpjHu6me1qUS6SwSI+xHeFvRYrTQ0r06U7w37Us
NaVHcYgGWs6hn9g05SXmekm3WKSoX3+F7jVZteMj/HBnIHpJKcdv9P1RTsgsossW
a8TTlIFcLVn7HmQcoNcH3S9Y/xclWHI995CSTs35qbD6jk1/EQSHY6oRTSjtpcQY
obNY96Ftugm0GspDaI60aWAxfMt1OrZ53lNmR5aIvpjhm7/bwlCZ5E7VUOCAlV15
/EkGEqJx+VFin/aOw2e2l0PT2HzXZZQmyAuHtBJ7VxzXBGmjOlV1/ShmW046kOqL
hWiaQDK2Uym0Y9QMXZEPd2Ky1xuOKKwFyp+nDGvLV3x55VNy/aE=
=dIiA
-----END PGP SIGNATURE-----
pgpprrL1Jgg3z.pgp
Description: PGP signature
--- End Message ---