Source: python-idna Version: 3.11-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-idna. CVE-2026-45409[0]: | Internationalized Domain Names in Applications (IDNA) for Python | provides support for Internationalized Domain Names in Applications | (IDNA) and Unicode IDNA Compatibility Processing. In versions prior | to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + | "\u6f22"` utilize the `valid_contexto` function prior to length | rejection, and for high values of `N` will take a long time to | process. This is the same issue as CVE-2024-3651, however the | original remediation in 2024 was not a complete fix. A specially | crafted argument to the `idna.encode()` function could consume | significant resources. This may lead to a denial-of-service. | Starting in version 3.14, the function rejects long inputs as soon | as practicable prior to any further processing to minimize resource | consumption. In version 3.15, this approach was extended to lesser | used alternate functions (i.e. per-label conversions and codec | support). A workaround is available. Domain names cannot exceed 253 | characters in length. If this length limit is enforced prior to | passing the domain to the `idna.encode()` function, it should no | longer consume significant resources. This is triggered by | arbitrarily large inputs that would not occur in normal usage, but | may be passed to the library assuming there is no preliminary input | validation by the higher-level application. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45409 https://www.cve.org/CVERecord?id=CVE-2026-45409 [1] https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx [2] https://github.com/kjd/idna/commit/628fef84d3eda59321c21127e73dcd873db23ead [3] https://github.com/kjd/idna/commit/e1cb465b6376f33306a26f467d197edbcd01c4b9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
