Your message dated Sat, 04 Jul 2026 15:48:36 +0000
with message-id <[email protected]>
and subject line Bug#1138864: fixed in python-daphne 4.1.2-2+deb13u1
has caused the Debian Bug report #1138864,
regarding python-daphne: CVE-2026-44545 CVE-2026-44546
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138864: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138864
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-daphne
Version: 4.2.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for python-daphne.

CVE-2026-44545[0]:
| daphne before 4.2.2 did not pass maxFramePayloadSize or
| maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because
| Autobahn defaults both values to 0 (unlimited), an unauthenticated
| remote attacker could send arbitrarily large WebSocket messages or
| frames, causing excessive memory consumption and a denial of
| service.


CVE-2026-44546[1]:
| daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's
| parsed headers and feeds it to autobahn for WebSocket handshake
| processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or
| \x85 as header line separators, but autobahn decodes header values
| to str and calls splitlines(). An attacker can exploit this parser
| differential to inject additional headers into the ASGI scope passed
| to the application. daphne now rejects requests with these bytes in
| any header value with a 400 response.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44545
    https://www.cve.org/CVERecord?id=CVE-2026-44545
[1] https://security-tracker.debian.org/tracker/CVE-2026-44546
    https://www.cve.org/CVERecord?id=CVE-2026-44546

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-daphne
Source-Version: 4.1.2-2+deb13u1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-daphne, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-daphne package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 Jul 2026 20:38:15 +0300
Source: python-daphne
Architecture: source
Version: 4.1.2-2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1138864
Changes:
 python-daphne (4.1.2-2+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-44545: DoS via unbounded WebSocket message sizes
   * CVE-2026-44546: Header injection on WebSocket upgrade path
   * (Closes: #1138864)
Checksums-Sha1:
 9021dd90dad40a2a17cfecd2d971003c84a4302f 2323 python-daphne_4.1.2-2+deb13u1.dsc
 dfb9b1d20d9184a594934b5193bda20fe8247422 43121 python-daphne_4.1.2.orig.tar.gz
 dd019c7771bfc92b1689c206f00029461798be91 10892 
python-daphne_4.1.2-2+deb13u1.debian.tar.xz
Checksums-Sha256:
 b39d547539ff67b3cee62aa96f908c9e1795c5fae9cf4d00e3ccabd266b8b350 2323 
python-daphne_4.1.2-2+deb13u1.dsc
 28af2709c714afa3b505e44b1fbc335109f6392f7110215a21d76f7c69e8b61c 43121 
python-daphne_4.1.2.orig.tar.gz
 2d0a4645ceb12ef8b83c5df26ce7569315d5b775bb0357771bd72826490b08e0 10892 
python-daphne_4.1.2-2+deb13u1.debian.tar.xz
Files:
 7209dfd1ecd5f9f5634baac82245b5be 2323 python optional 
python-daphne_4.1.2-2+deb13u1.dsc
 0f19bb8ac1ce3e587c3f607171df3916 43121 python optional 
python-daphne_4.1.2.orig.tar.gz
 e34576d84ff06454d645b74f1771f3d6 10892 python optional 
python-daphne_4.1.2-2+deb13u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpH9R0ACgkQiNJCh6LY
mLG+6g/9Hb3ho/V8Lug8bxeRZaB0A72jEfzGyJLkVo8Xnpa9bJYSTAgwE7Qbfjzx
0L4lUeb5Yl0WcxNZ3j+3YpILREIp6gfcQazlybpBdwkBNO2hi6x98GYQdEqN6SQT
7Oaph8AAW5Yy+9t01rMKvph0pNbKvgFyMG60xIhH+on0SXYUFeEFENpyRijGRkg/
TtifR74P6BRFwbD3eDleOjvu6iei4dTHwM3qV1LmdXJuNGyw+gCPAppXgsJ9T9po
C+/PogH1jdso2xJydOEsPFbozuNGw6oBgJ2zlQ4IMiy9uQPmxrDTHPLqF5Ujlw8n
ACi+di+CzbsDegEpffuBRvZuUpy428zYRgCdqRg3EtrkEplsYJWRWWEoFOBH/7ve
awuGZp/lvNqNfvwPZk0z9lu301uNvel65wV1fR3lTKG2WMMR5QQX1cfnNZZHDxCK
qDvNMCZzPu+udMDnWL60c9wLZmq/d7AwufCHZ1SbGu5gOx+vuWvT4nSlAFCL7qKh
4q7MnwULgzLCmWWn0eupCjbkIwuEMEoaMPy1FxYX4SWsQq0QXzPrrxe0Ob/K/zlP
574GCx7caEmT+99waScxMlhHOf6giJZk9zjiO/aFq3W8oScOx4m6jarBC5bcLm/e
mpvYGU349XnTtAbKesPVFXhkyWqCe3DvQ/FHPnIwOxRtJdulVf0=
=nSTU
-----END PGP SIGNATURE-----

Attachment: pgpcA6_EUAyrv.pgp
Description: PGP signature


--- End Message ---

Reply via email to