Control: reopen -1
python-kafka (2.0.2-12) unstable; urgency=medium
.
* CVE-2026-10142 CVE-2026-10143: kafka-python contains a denial-of-service
vulnerability in the protocol parser that allows a malicious broker or
machine-in-the-middle attacker to exhaust memory or hang connections by
sending a crafted 4-byte frame length value without bounds validation.
Attackers can send a specially crafted frame length through the
receive_bytes() function to trigger either a multi-gigabyte memory
allocation or an uncaught ValueError that leaves the connection in a broken
state, causing requests to hang and consumers to stop heartbeating until
restart. Applied upstream patch: "Validate SASL/SCRAM iterations".
(Closes: #1139878, #1139822).
This is the fix for CVE-2026-10143.
>...
> CVE-2026-10142[0]:
> | kafka-python prior to 2.3.2 contains a denial-of-service
> | vulnerability in the protocol parser that allows a malicious broker
> | or machine-in-the-middle attacker to exhaust memory or hang
> | connections by sending a crafted 4-byte frame length value without
> | bounds validation. Attackers can send a specially crafted frame
> | length through the receive_bytes() function to trigger either a
> | multi-gigabyte memory allocation or an uncaught ValueError that
> | leaves the connection in a broken state, causing requests to hang
> | and consumers to stop heartbeating until restart.
>
> https://github.com/dpkp/kafka-python/pull/3019
> https://github.com/dpkp/kafka-python/pull/3026
> Fixed by:
> https://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b
> (3.0.0)
>...
And although it is listed here that is incorrect, the correct one is:
https://github.com/dpkp/kafka-python/commit/bdb46ab1fe4f090dd8bf710c7ddb778993bbc16b
Upstream additionally lists as needed for the CVEs:
https://github.com/dpkp/kafka-python/commit/7250337f54ee60695f2a7faedd1ec2758fc7ac29
Further details:
https://github.com/dpkp/kafka-python/issues/3014#issuecomment-4663299889
cu
Adrian