Your message dated Tue, 7 Jul 2026 07:58:24 +0200
with message-id <[email protected]>
and subject line Re: Accepted ujson 5.13.0-1 (source) into unstable
has caused the Debian Bug report #1138258,
regarding ujson: CVE-2026-44660
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138258
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ujson
Version: 5.11.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for ujson.

CVE-2026-44660[0]:
| UltraJSON is a fast JSON encoder and decoder written in pure C with
| bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes
| to a file-like object and the write operation raises an exception,
| the serialized JSON string object is not decremented, leaking
| memory. Each failed write operation leaks the full size of the
| serialized payload. This vulnerability is fixed in 5.12.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44660
    https://www.cve.org/CVERecord?id=CVE-2026-44660
[1] 
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
[2] 
https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: ujson
Source-Version: 5.13.0-1

On Tue, Jul 07, 2026 at 12:33:49AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Mon, 06 Jul 2026 17:20:58 -0700
> Source: ujson
> Architecture: source
> Version: 5.13.0-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Mo Zhou <[email protected]>
> Changes:
>  ujson (5.13.0-1) unstable; urgency=medium
>  .
>    * New upstream version 5.13.0
> Checksums-Sha1:
>  3907fbb63de0940b616ab5161fc1c8708129b27c 2140 ujson_5.13.0-1.dsc
>  34bc4d414a69c1d9dbe0490df2928814ddf3d179 124860 ujson_5.13.0.orig.tar.xz
>  730d15f0fab09191374606088fc56e23a696dcf6 5868 ujson_5.13.0-1.debian.tar.xz
>  ce8542df002ee4a3064539d8358bf6c9f4d2f71b 6226 ujson_5.13.0-1_source.buildinfo
> Checksums-Sha256:
>  3639f2911538a4ff613d3eb21a37eddec9d5b93855aa561a6fdb3eda8e95ea3d 2140 
> ujson_5.13.0-1.dsc
>  c0d251080baae3571f132fd1441ce2c557ee3ed92bbe0d76160e50f577919fa8 124860 
> ujson_5.13.0.orig.tar.xz
>  61894c2fe34f64bb8971b2e9082128545fabfc422c59e04e9499570d1721aa9c 5868 
> ujson_5.13.0-1.debian.tar.xz
>  9d71fab35000f502afeb77b2238221f45fc423d9d2db54371db84dc474be1072 6226 
> ujson_5.13.0-1_source.buildinfo
> Files:
>  2b12b9125e4f0dc825241ebb1c90a254 2140 python optional ujson_5.13.0-1.dsc
>  fe293d296efcaf75450bc623e236cf21 124860 python optional 
> ujson_5.13.0.orig.tar.xz
>  d38b8e017e3b1dc38a1d0f28aa3e7d20 5868 python optional 
> ujson_5.13.0-1.debian.tar.xz
>  cd43ba28d646ca3fcb8468c21ffc2c2a 6226 python optional 
> ujson_5.13.0-1_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQJFBAEBCgAvFiEEY4vHXsHlxYkGfjXeYmRes19oaooFAmpMRtoRHGx1bWluQGRl
> Ymlhbi5vcmcACgkQYmRes19oaooZ8BAAo4CmK84LdT2impPkK5Wqs8tF1CnPHrYX
> BF5NYHQ3/CUd5KDI2YSGfRFT/ZuFPMvJFJKpyW4yooAdo/c82c0myy9kcD/dFQ7O
> 9KyVWjry0X7nMT/c+zpewVyciRld5mnQFS3+kIqVZ6YBFfkCPQO+bfDi+X79JnKM
> JZbQW2jrywXdTtwSZjz2Q1fsCUWGFc2t/7fvk2ERa1+c3d2ydMzJVRjHxZjn2HfF
> 3rrxkZLzaWLkpULIPJkOlOll4HwTSEzZVWBoU9JmSlRwCh6NK0+73r+NP4dlFEeW
> Z9aJbNT4v6LhOXUSP8Sn/7d1cbzqNd3N40j3GJQhkd/IiKXXL/uE85cTA6LmPyYm
> S6hu0gMjpt420oReEZ32PssQSGArpnnALDk4t+AY+3nqZbOKQcbptgSYGFc4BUDF
> wBYMfCTX93wQcJCuOvfKkgqy8Eo8Hr/ZBKzD6oE+cXvYNi/d0aPzGf8MPR+G4pnW
> Xaf31j8snD2xtYUrvu3bUBDixNCJhAMzb5P2+CfafUQPUVV5VNRLhi+POBcNmdC5
> J1ikWMdTNjxRiN3fHTdDZgahXXL7fP+dUOeCWFWR4C7LTjGH1X2136fgxyQDOrk4
> zw6kSwaeBUyS+1wcA9wWJxsRXoukKPDC7NPVo3z1/9euVGlV2b7wnq42sMJI/r18
> t4MmY/MY8gs=
> =BcdB
> -----END PGP SIGNATURE-----

--- End Message ---

Reply via email to