Your message dated Sat, 04 Jul 2026 15:47:06 +0000
with message-id <[email protected]>
and subject line Bug#1131472: fixed in deepdiff 8.1.1-4+deb13u1
has caused the Debian Bug report #1131472,
regarding deepdiff: CVE-2026-33155
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131472
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: deepdiff
Version: 8.6.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for deepdiff.
CVE-2026-33155[0]:
| DeepDiff is a project focused on Deep Difference and search of any
| Python data. From version 5.0.0 to before version 8.6.2, the pickle
| unpickler _RestrictedUnpickler validates which classes can be loaded
| but does not limit their constructor arguments. A few of the types
| in SAFE_TO_IMPORT have constructors that allocate memory
| proportional to their input (builtins.bytes, builtins.list,
| builtins.range). A 40-byte pickle payload can force 10+ GB of
| memory, which crashes applications that load delta objects or call
| pickle_load with untrusted data. This issue has been patched in
| version 8.6.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33155
https://www.cve.org/CVERecord?id=CVE-2026-33155
[1]
https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q
[2]
https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: deepdiff
Source-Version: 8.1.1-4+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
deepdiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated deepdiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 19:38:08 +0300
Source: deepdiff
Architecture: source
Version: 8.1.1-4+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1131472
Changes:
deepdiff (8.1.1-4+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-58367: Class Pollution in Delta class
* CVE-2026-33155: Memory Exhaustion DoS through SAFE_TO_IMPORT
(Closes: #1131472)
Checksums-Sha1:
6cf36386481f01a1cf5759a1dc2235457530b3d2 2545 deepdiff_8.1.1-4+deb13u1.dsc
589692ec8dd22b641c20e687eadd2c3e0986062e 448842 deepdiff_8.1.1.orig.tar.gz
739423b75a1f915a1ced7d5d9ceae749728a84ff 8032
deepdiff_8.1.1-4+deb13u1.debian.tar.xz
Checksums-Sha256:
4e27f8a1ceb4d483b1b3a64d9714b2fa2078f2e09d9fc475697505afb625063b 2545
deepdiff_8.1.1-4+deb13u1.dsc
fd2322cf01742f80ac07b64966a721d9252f674c5c0cc04f394c13c12aea6017 448842
deepdiff_8.1.1.orig.tar.gz
81b62978f5ea6e4bde8b37ec5e57201320f2237a386e8c444717f2e2738b37c2 8032
deepdiff_8.1.1-4+deb13u1.debian.tar.xz
Files:
1cbd1e6e1a9833b0f8c53d7675230e8d 2545 python optional
deepdiff_8.1.1-4+deb13u1.dsc
d63383ed8054f861c6641b77ce111f25 448842 python optional
deepdiff_8.1.1.orig.tar.gz
87ea93afbea92ac8eefbd9de66ee135b 8032 python optional
deepdiff_8.1.1-4+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpGmcUACgkQiNJCh6LY
mLEPChAAz6LYIZzr52py11XJ89v7H3aHDOtPjRIIy178g7wUpOEa//I3tWJynfSP
ZDSsImzb0kTQfgZ2q5BRffv6E9khEhhD6Hr5tgnOFZFMKrBxh1zYhopSyux1FPeu
Cu6mdcJN+FgFb+ufUptXA9GIB37XlSiZ2VXtBEP9dNu2qDzo1HIWR2D+RPMUutpu
RL3zv2iTpFXSGk02EWl/8zqOYiEPynB9gHfXRBknZJwm7+BJUNXJb8XW4Il1gzLi
GsO2VGUv9kxInCi5cnhvGdUlYOTB0aLr11PM3D7NqUU1+aFygqW14GdHS1BkeBcj
myhPv1Xg8SX1aFRmfgbN93nBix4sJD2n2QNsArAhBbRe2Ip0nqGBhwn8aMAsv89k
cQYKO+eqQL1CZmjvB9+x1kGBwkRtgL0AOHw1Ne25Ib5+aFHu3LfeUcgCeAwwm9lo
knSvoCIzjvZ6paKHHVzP/V75TnEKaAiVSwG9UsD1y9JLEeuF/7uU8KkLpmvS+Kfy
BGrkmhdMfj+eXKpEyMPi4ftxPcCiEYtppGKWzO2GIAwyR+/l3Jg+8RWk5tWTg/Xz
FRUb4MoWxHfhgYp8BqBE5SUvgMf3Ew1K7OHcEXjxYrexiMUB1a4VWoYxTC0blkCt
nh99yORNfIMgMiEfUHS6N8O5yohSMmJz6JSlvZ6sgG2x3U7NLxQ=
=UepM
-----END PGP SIGNATURE-----
pgpml6T3QVG9d.pgp
Description: PGP signature
--- End Message ---