Source: python-ldap Version: 3.4.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-ldap. CVE-2025-61912[0]: | python-ldap is a lightweight directory access protocol (LDAP) client | API for Python. In versions prior to 3.4.5, | ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a | backslash followed by a literal NUL byte instead of the RFC-4514 hex | form \00. Any application that uses this helper to construct DNs | from untrusted input can be made to consistently fail before a | request is sent to the LDAP server (e.g., AD), resulting in a | client-side denial of service. Version 3.4.5 contains a patch for | the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61912 https://www.cve.org/CVERecord?id=CVE-2025-61912 [1] https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6 [2] https://github.com/python-ldap/python-ldap/commit/9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
