Source: debian-security-support X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Version: 1:13+2026.01.04 Severity: normal Tags: security
Dear Maintainer, ply (binary package 'python3-ply') is unmaintained upstream: https://github.com/dabeaz/ply#important-notice---december-21-2025 https://github.com/dabeaz/ply/commit/9d7c40099e23ff78f9d86ef69a26c1e8a83e706a We are not able to get official security feedback, e.g. for: https://www.openwall.com/lists/oss-security/2026/01/23/4 which is both 9.8/critical: https://nvd.nist.gov/vuln/detail/CVE-2025-56005 and unimportant at Debian: https://security-tracker.debian.org/tracker/CVE-2025-56005 and disputed at independent pages: https://github.com/tom025/ply_exploit_rejection More importantly we won't get security fixes either. The project is otherwise considered obsoleted by various other libraries, so a takeover is unlikely. The PyPI page didn't see updates either since 2018: https://pypi.org/project/ply/#history Consequently it would make sense to mark this package as unsupported in all dists. See also: https://salsa.debian.org/lts-team/lts-updates-tasks/-/work_items/320 Cheers! Sylvain Beucler Debian LTS Team
