Your message dated Sat, 11 Jul 2026 10:32:48 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1137180,
regarding trixie-pu: package python-markdown/3.7-2+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137180: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137180
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python-markdown
User: [email protected]
Usertags: pu
[ Reason ]
This fixes tests failures with python3.13 >= 3.13.5-2+deb13u1, where some
changes were made to html.parser module to address CVE-2025-6069, which
broke Python-Markdown because it heavily relies on html.parser internals.
[ Impact ]
python-markdown FTBFS without these changes, see #1137043.
[ Tests ]
There are automated tests, which caught the issue and made it FTBFS.
[ Risks ]
I backported a minimal set of changes needed for the tests to pass. These
changes should be safe.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Adapt to changes in html.parser module in the new Python, backported
to Trixie as part of CVE fixes (closes: #1137043).
[ Other info ]
A similar upload for Bookworm will also have a fix for CVE-2025-69534.
I am not including it here, since it is relevant only for Python < 3.13.
--
Dmitry Shachnev
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+python-markdown (3.7-2+deb13u1) trixie; urgency=medium
+
+ * Adapt to changes in html.parser module in the new Python, backported
+ to Trixie as part of CVE fixes (closes: #1137043).
+
+ -- Dmitry Shachnev <[email protected]> Wed, 20 May 2026 11:17:38 +0300
+
python-markdown (3.7-2) unstable; urgency=medium
* Mark both binary packages as Multi-Arch: foreign (closes: #1078025).
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +1,2 @@
[DEFAULT]
-debian-branch=debian/master
+debian-branch=debian/trixie
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -3,4 +3,4 @@ include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
- RELEASE: 'unstable'
+ RELEASE: 'trixie'
--- /dev/null
+++ b/debian/patches/fixes_for_new_python.diff
@@ -0,0 +1,59 @@
+From: Isaac Muse <[email protected]>
+Date: Thu, 19 Jun 2025 09:46:13 -0600
+Subject: Fixes for Python 3.14
+
+- Fix issue with unclosed HTML tag `<foo`
+- Fix issue with unclosed comments
+
+Fixes #1537
+
+(cherry picked from commit 9980cb5b27b07ff48283178d98213e41543701ec)
+---
+ markdown/htmlparser.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/markdown/htmlparser.py b/markdown/htmlparser.py
+index 33b918d..6e47155 100644
+--- a/markdown/htmlparser.py
++++ b/markdown/htmlparser.py
+@@ -89,6 +89,8 @@ class HTMLExtractor(htmlparser.HTMLParser):
+
+ self.lineno_start_cache = [0]
+
++ self.override_comment_update = False
++
+ # This calls self.reset
+ super().__init__(*args, **kwargs)
+ self.md = md
+@@ -249,8 +251,21 @@ class HTMLExtractor(htmlparser.HTMLParser):
+ self.handle_empty_tag('&{};'.format(name), is_block=False)
+
+ def handle_comment(self, data: str):
++ # Check if the comment is unclosed, if so, we need to override position
++ i = self.line_offset + self.offset + len(data) + 4
++ if self.rawdata[i:i + 3] != '-->':
++ self.handle_data('<')
++ self.override_comment_update = True
++ return
+ self.handle_empty_tag('<!--{}-->'.format(data), is_block=True)
+
++ def updatepos(self, i: int, j: int) -> int:
++ if self.override_comment_update:
++ self.override_comment_update = False
++ i = 0
++ j = 1
++ return super().updatepos(i, j)
++
+ def handle_decl(self, data: str):
+ self.handle_empty_tag('<!{}>'.format(data), is_block=True)
+
+@@ -300,7 +315,8 @@ class HTMLExtractor(htmlparser.HTMLParser):
+ self.__starttag_text = None
+ endpos = self.check_for_whole_start_tag(i)
+ if endpos < 0:
+- return endpos
++ self.handle_data(self.rawdata[i:i + 1])
++ return i + 1
+ rawdata = self.rawdata
+ self.__starttag_text = rawdata[i:endpos]
+
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
disable_directory_urls.diff
disable_gh_links.diff
local_inventory.diff
+fixes_for_new_python.diff
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---