Your message dated Thu, 08 Jan 2026 20:54:17 +0000
with message-id <[email protected]>
and subject line Bug#1122030: fixed in python-urllib3 2.5.0-1.1
has caused the Debian Bug report #1122030,
regarding python-urllib3: CVE-2025-66418
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122030
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.5.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-urllib3.
CVE-2025-66418[0]:
| urllib3 is a user-friendly HTTP client library for Python. Starting
| in version 1.24 and prior to 2.6.0, the number of links in the
| decompression chain was unbounded allowing a malicious server to
| insert a virtually unlimited number of compression steps leading to
| high CPU usage and massive memory allocation for the decompressed
| data. This vulnerability is fixed in 2.6.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-66418
https://www.cve.org/CVERecord?id=CVE-2025-66418
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.5.0-1.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated python-urllib3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Jan 2026 20:00:44 +0100
Source: python-urllib3
Architecture: source
Version: 2.5.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1122030
Changes:
python-urllib3 (2.5.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Unbounded number of links in the decompression chain (CVE-2025-66418)
(Closes: #1122030)
Checksums-Sha1:
9cd1ae929be6b9077c8da331a4a800a4652daefb 2912 python-urllib3_2.5.0-1.1.dsc
87474a88422a51db778f20b2b7360d4a95c71131 38760
python-urllib3_2.5.0-1.1.debian.tar.xz
4cb5dcb7ab013fe53d2994f3023af2f0ce81b051 6992
python-urllib3_2.5.0-1.1_source.buildinfo
Checksums-Sha256:
1e9d9024b7c6abbece0050066251c0b090761b899a9afc795008ad588edf9194 2912
python-urllib3_2.5.0-1.1.dsc
3a23a578ec5b17c3b996c4fb803c3755ae21229e95e0d9c6d20b987dd7e4a515 38760
python-urllib3_2.5.0-1.1.debian.tar.xz
ba5e7d69839abda16dc949cbe51f42cff43482454b2b7de8414b13912c080ba8 6992
python-urllib3_2.5.0-1.1_source.buildinfo
Files:
365128886a6e4dd76eabe8e78b7f5378 2912 python optional
python-urllib3_2.5.0-1.1.dsc
1180e1748ddbb7ef20821a47492c97ea 38760 python optional
python-urllib3_2.5.0-1.1.debian.tar.xz
2faf699e14f0816831760a59e2b2425a 6992 python optional
python-urllib3_2.5.0-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmlZdEBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EGYkP/it3+yykJa1oVhNSFbpT05G+vkikDhvK
Tb8BreG99+0BEUtlCeOSTDxVEQyZAFedBhvkfBZdXh/t8DHc73ehrM78Ttx6KRQS
F0hdDh/zJFb6H8nWM25oYaQFZMPLBs7fecV0TPVZ7DN+s2xWcJpHUNkLyIuW1ok/
ynsE9V6i2/fs5ltYb9A3jfyB0qPCb7TLw4f1yPdnGrYssZiqyzSuWbhauMwHD1Xi
VSxIL/35LaHwCg62IGeVcgyJjJ7VeRwLFuEBk6t4wypdfU2hMboYkYhEhQZeFoyq
/Uvl1OnHRsD9iYoDLGLVtH1tkvxofqI3MU7J7rl0GJX5QW7z3yA4rIEU/s3hVDaz
Wy8YrXYMzbVNfZoJSm1InDc4ciMBQe0CT7AzXHH7RFBdjJH+hdW8PPMUbrWPYsfV
U3YU1GKmU5JOIP7+OnlmYG2w6Eo0ETiHun8vSA8USuXqSzQcpJVthCsyOW8uRC5b
uKrpfdC2m2siojpOnrXadzkYjRaaDNp7dGF88XhWfiiGqPCzJ5c/ttbgrzTR4DSd
3pJJmu9/Mf6zgs6yGdH3gcwOOs+iuSuDu6K1cuikqeX/BmBnIwbvfygdUQVoL8Sk
tfGM/v8kc7V7TOYKSE3BonNW9UdiXLZzZpC3AOogYd3l9wL1wmhXAn1PmIrtt5Iz
b0bW/WgL+q4X
=iREA
-----END PGP SIGNATURE-----
pgpgoK9wjT1G6.pgp
Description: PGP signature
--- End Message ---
