Your message dated Sat, 10 Jan 2026 17:50:26 +0000
with message-id <[email protected]>
and subject line Bug#1125062: fixed in python-urllib3 2.5.0-2
has caused the Debian Bug report #1125062,
regarding python-urllib3: CVE-2026-21441
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125062
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-urllib3.
CVE-2026-21441[0]:
| urllib3 is an HTTP client library for Python. urllib3's streaming
| API is designed for the efficient handling of large HTTP responses
| by reading the content in chunks, rather than loading the entire
| response body into memory at once. urllib3 can perform decoding or
| decompression based on the HTTP `Content-Encoding` header (e.g.,
| `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API,
| the library decompresses only the necessary bytes, enabling partial
| content consumption. Starting in version 1.22 and prior to version
| 2.6.3, for HTTP redirect responses, the library would read the
| entire response body to drain the connection and decompress the
| content unnecessarily. This decompression occurred even before any
| read methods were called, and configured read limits did not
| restrict the amount of decompressed data. As a result, there was no
| safeguard against decompression bombs. A malicious server could
| exploit this to trigger excessive resource consumption on the
| client. Applications and libraries are affected when they stream
| content from untrusted sources by setting `preload_content=False`
| when they do not disable redirects. Users should upgrade to at least
| urllib3 v2.6.3, in which the library does not decode content of
| redirect responses when `preload_content=False`. If upgrading is not
| immediately possible, disable redirects by setting `redirect=False`
| for requests to untrusted source.
https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
(2.6.3)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21441
https://www.cve.org/CVERecord?id=CVE-2026-21441
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.5.0-2
Done: Santiago Vila <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <[email protected]> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Jan 2026 18:20:00 +0100
Source: python-urllib3
Architecture: source
Version: 2.5.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Santiago Vila <[email protected]>
Closes: 1125062
Changes:
python-urllib3 (2.5.0-2) unstable; urgency=medium
.
* Team upload.
.
[ Salvatore Bonaccorso ]
* Fix security issue where decompression-bomb safeguards of the
streaming API were bypassed when HTTP redirects were followed.
(CVE-2026-21441) (Closes: #1125062)
.
[ Santiago Vila ]
* Drop debian/.gitignore, dpkg-buildpackage dislikes it.
* d/control: Drop "Rules-Requires-Root: no" (default).
* d/control: Drop "Priority: optional" (default).
* d/control: Update standards-version.
Checksums-Sha1:
7cda2cc9918ab44b1a69124221ff48e7da1bb176 2404 python-urllib3_2.5.0-2.dsc
c9e8f43d257af4c593dad8a3db7d7b26ca7ff457 39496
python-urllib3_2.5.0-2.debian.tar.xz
60d4e3c55a15ba18c514e050bc1acf01441cb0dc 5811
python-urllib3_2.5.0-2_source.buildinfo
Checksums-Sha256:
3223b400eb98cdb08326114f179e4687ea4ac889aaf21090c5c5ff0dfa36c669 2404
python-urllib3_2.5.0-2.dsc
eb395b6fb6b1bea9162fab2781607d4505802e2c41bc2dcb75b0bf42f8b63df9 39496
python-urllib3_2.5.0-2.debian.tar.xz
deee2dd0010bdeedb2d8fb7302652663b4c52692c70ef768a854a708f2f9096b 5811
python-urllib3_2.5.0-2_source.buildinfo
Files:
7531a860ede388eca756b72cd22ee7eb 2404 python optional
python-urllib3_2.5.0-2.dsc
709e1e2490fb38cb5afce4c989bb71e9 39496 python optional
python-urllib3_2.5.0-2.debian.tar.xz
7b9566355d2a151e9487200387a52993 5811 python optional
python-urllib3_2.5.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmliitgACgkQQc5/C58b
izLKDgf/e2wu7jHP2i2QeYPOSm4MKQXk9rCzc5nXwCGBhpMQjWhk/B7K+dFOfson
LQ6CKCq+EJ6giCcBedZZ9fDQIv+vn/Ricuj8UQLM4th6dWe6995asaTJYL3U+PDQ
Y9P5FgKxYeYH9xquGYkNboD/owp/sfKvuftzH26mK5ZK8J8o7RbjQCQ6RYz2Z8K8
WOnnsqOuV29AzffDd5Sq3aptfd4EpQDMOQ/HJdKlmHQOrwhYjw81PnkTY4YCiTSE
9jxw1lo0WN/FIewhJUMIRPaRN+v4pOtIHRaKumJ/rmWtliQIyjk8EB0KFz33hg+G
CTGMTty0Y42qunWRnJge8gY2Vp8O8Q==
=Eyzg
-----END PGP SIGNATURE-----
pgpL1uS6zOF2P.pgp
Description: PGP signature
--- End Message ---
