Source: python-ldap Version: 3.4.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-ldap. CVE-2025-61911[0]: | python-ldap is a lightweight directory access protocol (LDAP) client | API for Python. In versions prior to 3.4.5, the sanitization method | `ldap.filter.escape_filter_chars` can be tricked to skip escaping of | special characters when a crafted `list` or `dict` is supplied as | the `assertion_value` parameter, and the non-default `escape_mode=1` | is configured. The method `ldap.filter.escape_filter_chars` supports | 3 different escaping modes. `escape_mode=0` (default) and | `escape_mode=2` happen to raise exceptions when a `list` or `dict` | object is supplied as the `assertion_value` parameter. However, | `escape_mode=1` computes without performing adequate logic to ensure | a fully escaped return value. If an application relies on the | vulnerable method in the `python-ldap` library to escape untrusted | user input, an attacker might be able to abuse the vulnerability to | launch ldap injection attacks which could potentially disclose or | manipulate ldap data meant to be inaccessible to them. Version 3.4.5 | fixes the issue by adding a type check at the start of the | `ldap.filter.escape_filter_chars` method to raise an exception when | the supplied `assertion_value` parameter is not of type `str`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61911 https://www.cve.org/CVERecord?id=CVE-2025-61911 [1] https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r7r6-cc7p-4v5m [2] https://github.com/python-ldap/python-ldap/commit/464fddacd63092d6e01c62a38316a713c30ca98a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
