Your message dated Sun, 05 Jul 2026 13:05:12 +0000
with message-id <[email protected]>
and subject line Bug#1141340: fixed in python-msgpack 1.1.2-3
has caused the Debian Bug report #1141340,
regarding python-msgpack: CVE-2026-57585
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141340
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-msgpack
Version: 1.1.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-msgpack.
CVE-2026-57585[0]:
| MessagePack is the serializer implementation for Python msgpack.org.
| Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker
| reuse after a caught error, potentially leading to a DoS attack. If
| the Unpacker is used repeatedly after an error occurs, the process
| may crash with a SEGV. This issue has been fixed in version 1.2.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-57585
https://www.cve.org/CVERecord?id=CVE-2026-57585
[1]
https://github.com/msgpack/msgpack-python/security/advisories/GHSA-6v7p-g79w-8964
[2]
https://github.com/msgpack/msgpack-python/commit/2c56ddb5d0025ed481d962c0f5d62d19dec7476d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-msgpack
Source-Version: 1.1.2-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-msgpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-msgpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Jul 2026 13:23:43 +0200
Source: python-msgpack
Architecture: source
Version: 1.1.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1141340
Changes:
python-msgpack (1.1.2-3) unstable; urgency=high
.
* CVE-2026-57585: Out-of-bounds read/crash on Unpacker reuse after a caught
error, potentially leading to a DoS attack. Applied upstream patch: "fix
Unpacker crash after unpack failure" (Closes: #1141340).
Checksums-Sha1:
c1b00cded578b4f66359bc8f1313352c1e02aa30 2211 python-msgpack_1.1.2-3.dsc
bbf1aebd5d0e6e8de980800f91377a72ca70161f 6552
python-msgpack_1.1.2-3.debian.tar.xz
e40452dce25823cc0f011db7c2fd83dee01c9f4e 8229
python-msgpack_1.1.2-3_amd64.buildinfo
Checksums-Sha256:
65c3e46b6bef67e5fa5eddd14bce456d3c86d4f810a0793936ab0b21d2da9cd4 2211
python-msgpack_1.1.2-3.dsc
739a0dd6e8cda04464ba5eadd2911a0fa5ebe831a5e9ddbb5276ac7fc1eccb85 6552
python-msgpack_1.1.2-3.debian.tar.xz
daa29fc3a0cdc07200714834633717a7a507b78b98361dd4df67899298955034 8229
python-msgpack_1.1.2-3_amd64.buildinfo
Files:
0f81b5e1151bfc0d62ebc4534944f4f5 2211 python optional
python-msgpack_1.1.2-3.dsc
c9a4095700dcc97971a839b5889a70f1 6552 python optional
python-msgpack_1.1.2-3.debian.tar.xz
c352bbaf467d472809db3ef491316714 8229 python optional
python-msgpack_1.1.2-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmpKUYoACgkQ1BatFaxr
Q/6bKw/+Id49QBkk3p5nMygj6XDTza9d7ITX9f5AGS0ROUp9tD30bo2WFQg10XOl
DDlmdvMRM0OOuMHakVPmvxvmXVaBXw6gJJIXX/Kt7pSupq0WrFZHWK1WH1ugBYYy
WKuONOCru8/+vUpqGJ3ELq9j4+f6v6scw6FWL9mCwc21/26s5E4mYGIcOw5J3SBZ
2FBo0rhVHyVAoVCMzY4TiSUG0AH74faJ/2y6Or6HSjI/JcQ4hGAqZ7sF0kWeshXD
bBiiuU4+2SiEVrBYsZ7piQX7wS2Ab1q6XbaW7AvES5kHAF9wcUWA96yKwYvHtcck
jkx7TB8DKt4aP6NzbWDF8c1eNonPfDsxkZOrRw8dITDoDUcjIrB7Dz9hZBZJw0tQ
cHShihQzmUwDE9NIS//NkIb7VxKkzWlWUeY9k81KKf4VQY2M2dZln8M0OGdaEXlU
+PI0UwWAgr05rBqe5eq8O9xuZXzepcFQWT46aetREmN4cqR7EbA5KMZC9NpOY6lY
txqgP1wsHZuMP4S2shMNYVZThkcuOWjdyGSQwrLNiUtawXAlKOzBwUGEFrQbA268
36fZD1ySwT4H+Y8Y/XJyEWjFxlag/lwt6n1Bqn4suGIGw1oxJJcCd1Pl86+ThTf0
whlol1s63DAkI2BFa544UnuVSpEcQEoOq+vNm9JD6skgpbjc0kU=
=5g42
-----END PGP SIGNATURE-----
pgpvZnFVDXFjY.pgp
Description: PGP signature
--- End Message ---