Your message dated Sat, 04 Jul 2026 12:32:05 +0000
with message-id <[email protected]>
and subject line Bug#1108057: fixed in protobuf 3.21.12-11+deb13u1
has caused the Debian Bug report #1108057,
regarding protobuf: CVE-2025-4565
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108057
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: protobuf
Version: 3.21.12-11
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for protobuf.
CVE-2025-4565[0]:
| Any project that uses Protobuf Pure-Python backend to parse
| untrusted Protocol Buffers data containing an arbitrary number of
| recursive groups, recursive messages or a series of SGROUP tags can
| be corrupted by exceeding the Python recursion limit. This can
| result in a Denial of service by crashing the application with a
| RecursionError. We recommend upgrading to version =>6.31.1 or beyond
| commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4565
https://www.cve.org/CVERecord?id=CVE-2025-4565
[1]
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: protobuf
Source-Version: 3.21.12-11+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated protobuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 22:28:07 +0300
Source: protobuf
Architecture: source
Version: 3.21.12-11+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1082381 1108057 1126302 1134895
Changes:
protobuf (3.21.12-11+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302).
* Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895).
.
[ Hlib Korzhynskyy <[email protected]> ]
* Complete fix of CVE-2024-7254 (closes: #1082381):
- add recursion checks and recursion limit,
- add tests.
.
[ Laszlo Boszormenyi (GCS) ]
* Fix CVE-2025-4565: data containing an arbitrary number of recursive
groups, recursive messages or a series of SGROUP tags can be corrupted
by exceeding the Python recursion limit (closes: #1108057).
Checksums-Sha1:
ab88f63d8d42af219a219db2b9d3f0d26a980769 3075 protobuf_3.21.12-11+deb13u1.dsc
7aec582dff3ab784ca7d2a2c99e59c64e8866fb5 5141502 protobuf_3.21.12.orig.tar.gz
d57d3335b1e1f0d5a9258c23ff0c860090bb040e 48312
protobuf_3.21.12-11+deb13u1.debian.tar.xz
Checksums-Sha256:
8f60b706ef31fa14c88d93314a5a3ae07b98fa0bc3bb4b58739598de6357779a 3075
protobuf_3.21.12-11+deb13u1.dsc
930c2c3b5ecc6c9c12615cf5ad93f1cd6e12d0aba862b572e076259970ac3a53 5141502
protobuf_3.21.12.orig.tar.gz
52c7c9377a2cb93649fb778baf4fe76d4489893ef04bad675acfa9b16e6313d5 48312
protobuf_3.21.12-11+deb13u1.debian.tar.xz
Files:
256beb94b7e5df55ac9048da6900d5f1 3075 devel optional
protobuf_3.21.12-11+deb13u1.dsc
d38562490234d8080bdbe8eb7baf937a 5141502 devel optional
protobuf_3.21.12.orig.tar.gz
964899f3010a9b2c14603ccbeed6f1c2 48312 devel optional
protobuf_3.21.12-11+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpGwHkACgkQiNJCh6LY
mLEpWg/9FMk3yD2YLya4M+zEtReTCpODpV4Eo5zRvM70dH7mfxCrrKaaA0PtmPzW
D45PWYzOGjGOC9YGU8fPSqRu26Y+9V1hT8XhHUeIB8oOFc61Vzl5vTcBB4QMan9L
udDe//9T+j2ZXkljlhjF1UAlm0Aoj5+GjXAc2r/kqfHBiQGs+5vT6+Z0BnbdgwNY
xXCKY1VWCjNbCcC3awXnMIxBjqFuOzFKN8VOMhBXpFwlX53828pWFjtBLnT0HntC
wDOKfyDXYBx/ypErB5iW8vGySQ+sgDKGmePMOqDXtq0kpfxXJZY6dQCmOIvp0zVA
h8Is943KN8qDJItDIKtt1Ie6fH69jLAnLgye6SIDYgNzpKFWFJZMKKJEYOZzuQYd
azfwGGsfc8Y60GfcctgV/ZshDja7aAyIenfz4odmvqwgZL/z4F+p3yTm9+0kYwFD
H44ozWAHOmiGuOvECjbraeNb2FHvOVqqQRzZRDX27mJwzxKxhSCEPQMd1Y/jeuJg
u8qjRe0qniBJ0Gjnw1MV5KJaAp5wcXoSfF4nXjeZFcsx+ZsCaWWDg45mQhif9s50
nIQt3cqU0ToIYHplbRFEG+EDVynSwiOAt65qgVEDj0QeGpwku8GB0xTtnGmIGx7n
/xW72wAxK+kI7jx3Dr12xsxVD6clANecDsHmYSlGqkEqY/CqpkY=
=MlG1
-----END PGP SIGNATURE-----
pgppOjiLA09LL.pgp
Description: PGP signature
--- End Message ---