Your message dated Sat, 04 Jul 2026 21:12:24 +0000
with message-id <[email protected]>
and subject line Bug#1132233: fixed in pygments 2.20.0+dfsg-1
has caused the Debian Bug report #1132233,
regarding pygments: CVE-2026-4539
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132233
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pygments
Version: 2.19.2+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pygments/pygments/issues/3058
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pygments.
CVE-2026-4539[0]:
| A security flaw has been discovered in pygments up to 2.19.2. The
| impacted element is the function AdlLexer of the file
| pygments/lexers/archetype.py. The manipulation results in
| inefficient regular expression complexity. The attack is only
| possible with local access. The exploit has been released to the
| public and may be used for attacks. The project was informed of the
| problem early through an issue report but has not responded yet.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-4539
https://www.cve.org/CVERecord?id=CVE-2026-4539
[1] https://github.com/pygments/pygments/issues/3058
[2]
https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pygments
Source-Version: 2.20.0+dfsg-1
Done: Alexandre Detiste <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pygments, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexandre Detiste <[email protected]> (supplier of updated pygments package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 04 Jul 2026 21:31:34 +0200
Source: pygments
Architecture: source
Version: 2.20.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Alexandre Detiste <[email protected]>
Closes: 1132233
Changes:
pygments (2.20.0+dfsg-1) unstable; urgency=medium
.
* Team upload.
.
[ Colin Watson ]
* Move dh-python, pybuild-plugin-pyproject, and python3-sphinx to
Build-Depends.
.
[ Matheus Polkorny ]
* New upstream version 2.20.0+dfsg
- Fix: CVE-2026-4539 (Closes: #1132233)
* d/control:
- Bump Standards-Version to 4.7.4
- Drop redundant Priority field
- Drop redundant Rules-Requires-Root field
* d/copyright:
- Bump upstream copyright to 2026
- Update Files-Excluded for new upstream version
* d/p/tests-tolerate-missing-example-files.patch: Update patch
* d/upstream|watch: Migrate to watch 5
.
[ Alexandre Detiste ]
* d/salsa-ci.yml: test the <!nocheck> & <!nodoc> profiles
* use dh-sequence-python3 & dh-sequence-sphinxdoc
* d/rules: guard "make doc" in a if-block
* rewrite d/rules with newer & shorter syntax
* trim leftover Python2+3 hybridation
Checksums-Sha1:
2ab4252d3a4c5d6c93b64f38a6dfbbce176be1b7 2452 pygments_2.20.0+dfsg-1.dsc
64019820ea7089ceab96572ccab169ca232551ff 1256544
pygments_2.20.0+dfsg.orig.tar.xz
daab0411ab8c38e28c000aa5fbf7751b42884f8c 10636
pygments_2.20.0+dfsg-1.debian.tar.xz
534133af0a2f630ef3b41596191497db7366bfe5 7521
pygments_2.20.0+dfsg-1_source.buildinfo
Checksums-Sha256:
ae7a6e87a5df517e83225c77265e1ed7e962b580e9133ee3524b026bdae2a760 2452
pygments_2.20.0+dfsg-1.dsc
6fbdf3c7c6201dc30053356c4df7a9facf08624dda5d2ea2dd3eda79f8ebd327 1256544
pygments_2.20.0+dfsg.orig.tar.xz
f3d7f0807cd38b8b8f4d000ddc4a2f93a23496375fab327a6c6e67d5b7ab8dd8 10636
pygments_2.20.0+dfsg-1.debian.tar.xz
72f0e79a71cff88eae2f8e32fda85ec54e961997f0b7dae6d7939f8a0188bbf6 7521
pygments_2.20.0+dfsg-1_source.buildinfo
Files:
08af292dbcb0ab86ba91786b54b2dd1a 2452 python optional
pygments_2.20.0+dfsg-1.dsc
9064f253d17b18adc65cabfc9e4df2cc 1256544 python optional
pygments_2.20.0+dfsg.orig.tar.xz
c35a0e2373635f60c6883d958936d290 10636 python optional
pygments_2.20.0+dfsg-1.debian.tar.xz
8f7fbfa20b67050a5e5af204f0c18eab 7521 python optional
pygments_2.20.0+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmpJbJoRHHRjaGV0QGRl
Ymlhbi5vcmcACgkQMfMURUShdBrkFxAAwbIn/MQm5vM1i14a+FaAtRXIJwTynIiN
Jo3oS3va9nKAMMtADdgdI/Wyp9c9Mg/FIr25/CtOwxCt/G/MjIuQWkTP/ABwQf5X
nUFJMp2X0j1zrCoWdkwMTt6Dax7kurY0PEYl3NhulYAqBBpWBewVeLwrPGuWnX2E
GqUTz6zyj0DD8zoaBMQ5YzEB0RryDLq8hf2jZ3kni++YX9f7CMrN2filBTHqSn3h
6MVnY+59ooIbtRVsyfkQWJnjkSRLpfg/8JOuqillDReUnyc7mmZqykVSG2Sm+xhp
PA70Xu91FCNqWX2oFdjrh5q20PFpjcT6e9mL/Rlm8ZASbbkxuYhKlOip2VNnhWi1
JqPLB24aqR+OlhZiAqMPQuqNrqL0bToeE0SZZsumuM+AG+PaOkVK9pY4xJgOY3oG
D87UwiapY6BHWjGzOKCygWpQWy0fHewstRhkq10Zl115lf3/tDXbH1H/ry4rnON4
CcYO77nEOo5ZpPK+S+T/2qmM1V2SJjePfDCyPINWLPyv6gwtuMVZQHWY4r0LeEY0
eqftsDC4D5fzgiBTm8rDCtM+zkv7ZsFMoVxjGE1HS0HnFJyEzcsIOxgACTvPtIHJ
5lH/v/qHSpoQ4C7nhYtPNXA0hPEQ8Q0/x+Lb0hUn7UibTD2UxzHyKm/8owUXQVOu
lax/69jslEY=
=QVHQ
-----END PGP SIGNATURE-----
pgpnsSFuVj4xV.pgp
Description: PGP signature
--- End Message ---