Your message dated Tue, 7 Jul 2026 07:58:24 +0200
with message-id <[email protected]>
and subject line Re: Accepted ujson 5.13.0-1 (source) into unstable
has caused the Debian Bug report #1131486,
regarding ujson: CVE-2026-32874
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1131486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131486
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ujson
Version: 5.11.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for ujson.

CVE-2026-32874[0]:
| UltraJSON is a fast JSON encoder and decoder written in pure C with
| bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an
| accumulating memory leak in JSON parsing large (outside of the range
| [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the
| string form of the integer plus an additional NULL byte. The leak
| occurs irrespective of whether the integer parses successfully or is
| rejected due to having more than sys.get_int_max_str_digits()
| digits, meaning that any sized leak per malicious JSON can be
| achieved provided that there is no limit on the overall size of the
| payload. Any service that calls
| ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is
| affected and vulnerable to denial of service attacks. This issue has
| been fixed in version 5.12.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-32874
    https://www.cve.org/CVERecord?id=CVE-2026-32874
[1] 
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm
[2] 
https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: ujson
Source-Version: 5.13.0-1

On Tue, Jul 07, 2026 at 12:33:49AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Mon, 06 Jul 2026 17:20:58 -0700
> Source: ujson
> Architecture: source
> Version: 5.13.0-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Mo Zhou <[email protected]>
> Changes:
>  ujson (5.13.0-1) unstable; urgency=medium
>  .
>    * New upstream version 5.13.0
> Checksums-Sha1:
>  3907fbb63de0940b616ab5161fc1c8708129b27c 2140 ujson_5.13.0-1.dsc
>  34bc4d414a69c1d9dbe0490df2928814ddf3d179 124860 ujson_5.13.0.orig.tar.xz
>  730d15f0fab09191374606088fc56e23a696dcf6 5868 ujson_5.13.0-1.debian.tar.xz
>  ce8542df002ee4a3064539d8358bf6c9f4d2f71b 6226 ujson_5.13.0-1_source.buildinfo
> Checksums-Sha256:
>  3639f2911538a4ff613d3eb21a37eddec9d5b93855aa561a6fdb3eda8e95ea3d 2140 
> ujson_5.13.0-1.dsc
>  c0d251080baae3571f132fd1441ce2c557ee3ed92bbe0d76160e50f577919fa8 124860 
> ujson_5.13.0.orig.tar.xz
>  61894c2fe34f64bb8971b2e9082128545fabfc422c59e04e9499570d1721aa9c 5868 
> ujson_5.13.0-1.debian.tar.xz
>  9d71fab35000f502afeb77b2238221f45fc423d9d2db54371db84dc474be1072 6226 
> ujson_5.13.0-1_source.buildinfo
> Files:
>  2b12b9125e4f0dc825241ebb1c90a254 2140 python optional ujson_5.13.0-1.dsc
>  fe293d296efcaf75450bc623e236cf21 124860 python optional 
> ujson_5.13.0.orig.tar.xz
>  d38b8e017e3b1dc38a1d0f28aa3e7d20 5868 python optional 
> ujson_5.13.0-1.debian.tar.xz
>  cd43ba28d646ca3fcb8468c21ffc2c2a 6226 python optional 
> ujson_5.13.0-1_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQJFBAEBCgAvFiEEY4vHXsHlxYkGfjXeYmRes19oaooFAmpMRtoRHGx1bWluQGRl
> Ymlhbi5vcmcACgkQYmRes19oaooZ8BAAo4CmK84LdT2impPkK5Wqs8tF1CnPHrYX
> BF5NYHQ3/CUd5KDI2YSGfRFT/ZuFPMvJFJKpyW4yooAdo/c82c0myy9kcD/dFQ7O
> 9KyVWjry0X7nMT/c+zpewVyciRld5mnQFS3+kIqVZ6YBFfkCPQO+bfDi+X79JnKM
> JZbQW2jrywXdTtwSZjz2Q1fsCUWGFc2t/7fvk2ERa1+c3d2ydMzJVRjHxZjn2HfF
> 3rrxkZLzaWLkpULIPJkOlOll4HwTSEzZVWBoU9JmSlRwCh6NK0+73r+NP4dlFEeW
> Z9aJbNT4v6LhOXUSP8Sn/7d1cbzqNd3N40j3GJQhkd/IiKXXL/uE85cTA6LmPyYm
> S6hu0gMjpt420oReEZ32PssQSGArpnnALDk4t+AY+3nqZbOKQcbptgSYGFc4BUDF
> wBYMfCTX93wQcJCuOvfKkgqy8Eo8Hr/ZBKzD6oE+cXvYNi/d0aPzGf8MPR+G4pnW
> Xaf31j8snD2xtYUrvu3bUBDixNCJhAMzb5P2+CfafUQPUVV5VNRLhi+POBcNmdC5
> J1ikWMdTNjxRiN3fHTdDZgahXXL7fP+dUOeCWFWR4C7LTjGH1X2136fgxyQDOrk4
> zw6kSwaeBUyS+1wcA9wWJxsRXoukKPDC7NPVo3z1/9euVGlV2b7wnq42sMJI/r18
> t4MmY/MY8gs=
> =BcdB
> -----END PGP SIGNATURE-----

--- End Message ---

Reply via email to