Your message dated Sat, 24 Jan 2026 11:04:17 +0000
with message-id <[email protected]>
and subject line Bug#1125062: fixed in python-urllib3 2.3.0-3+deb13u1
has caused the Debian Bug report #1125062,
regarding python-urllib3: CVE-2026-21441
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125062
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-urllib3.
CVE-2026-21441[0]:
| urllib3 is an HTTP client library for Python. urllib3's streaming
| API is designed for the efficient handling of large HTTP responses
| by reading the content in chunks, rather than loading the entire
| response body into memory at once. urllib3 can perform decoding or
| decompression based on the HTTP `Content-Encoding` header (e.g.,
| `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API,
| the library decompresses only the necessary bytes, enabling partial
| content consumption. Starting in version 1.22 and prior to version
| 2.6.3, for HTTP redirect responses, the library would read the
| entire response body to drain the connection and decompress the
| content unnecessarily. This decompression occurred even before any
| read methods were called, and configured read limits did not
| restrict the amount of decompressed data. As a result, there was no
| safeguard against decompression bombs. A malicious server could
| exploit this to trigger excessive resource consumption on the
| client. Applications and libraries are affected when they stream
| content from untrusted sources by setting `preload_content=False`
| when they do not disable redirects. Users should upgrade to at least
| urllib3 v2.6.3, in which the library does not decode content of
| redirect responses when `preload_content=False`. If upgrading is not
| immediately possible, disable redirects by setting `redirect=False`
| for requests to untrusted source.
https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
(2.6.3)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21441
https://www.cve.org/CVERecord?id=CVE-2026-21441
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.3.0-3+deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated python-urllib3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Jan 2026 22:38:24 +0100
Source: python-urllib3
Architecture: source
Version: 2.3.0-3+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1122030 1125062
Changes:
python-urllib3 (2.3.0-3+deb13u1) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Unbounded number of links in the decompression chain (CVE-2025-66418)
(Closes: #1122030)
* Decompression-bomb safeguards bypassed when following HTTP redirects
(streaming API) (CVE-2026-21441) (Closes: #1125062)
Checksums-Sha1:
3ddecfde0622806a87ba522dbbfa45218e1098f8 2936
python-urllib3_2.3.0-3+deb13u1.dsc
aa97066e8f8f5c46679c94cce3cf1f83415daa7a 307268
python-urllib3_2.3.0.orig.tar.gz
1b1b84a6d7f7f61eeb37484af7a844783dbe9669 43752
python-urllib3_2.3.0-3+deb13u1.debian.tar.xz
d11a728cc8611e46b3e42b772ca19763a874c490 7016
python-urllib3_2.3.0-3+deb13u1_source.buildinfo
Checksums-Sha256:
5169eede61e71d428de69999784affa67fe9187f7b9f9e4cff198db002583935 2936
python-urllib3_2.3.0-3+deb13u1.dsc
f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d 307268
python-urllib3_2.3.0.orig.tar.gz
7064e18de5f32fadc087c1102ba60d5b0c4dca51cda753be31ced6410f8e71d0 43752
python-urllib3_2.3.0-3+deb13u1.debian.tar.xz
1abd3c99a1b4237bb813d6bb4f8966ff1cdc4830a9fde61143de6e92ebc6ffb8 7016
python-urllib3_2.3.0-3+deb13u1_source.buildinfo
Files:
02733cd331b8d2ce0796adc7aaf2fc33 2936 python optional
python-urllib3_2.3.0-3+deb13u1.dsc
6388afd062cf2e1ef27843738629dbc1 307268 python optional
python-urllib3_2.3.0.orig.tar.gz
513c930ac99393aca91ab67c069680eb 43752 python optional
python-urllib3_2.3.0-3+deb13u1.debian.tar.xz
c56f6efc782dd7d2ca136bf04ff55f4e 7016 python optional
python-urllib3_2.3.0-3+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmlmUH1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtrYP+gOvNPPRjLjdf2kRQ+T/6fCZWOyxDKsR
bhtIbngAnpX0K8zGyLPG6DFVjsg9Ufyw8+cpfaSlW6wRlGmSWXzc/5X/dqzr9K9J
75V34aebazDuFCWXATtCs7jjMNzJgPL1pJzwL4MQJlF+pdKQCtqEyYaOBj+ctJzZ
MXeBzMdzEeUDjs+bZAiYZgdUdp6gEF+DoGY0XG2ukdr+WgRdOJ8i+IyFq5phbGz4
hthF1Wq+0/XohmbgwQPs/Sr9b7h1rwFFINGhKnD/sfSQehT8uc1IM0dlGfPAeU/E
o3aDgRh6iHa1/lhvTCIimTNFLlRPFnYP1CI19YsrcbLy4CTTteYfbw/ba6oM1BEr
i4TDKA0OHcXo91+roLVsuz6JjpJ3JxQciXOidbLzeZB8XjVXUab20h070SCFNsi4
pzh0v3XUmRC7KalEKZpVXkK4Bm5nIJN7YPKm6asAqT67qYh5TwfRdb0RBzywlNy7
ziUrq1gUxjNwuPCXs0MaWIB8GhMRJi4XE/zyhEBITzd5a8dlSf73YcQe4Jcax43N
eGVe+E+9I72wZCdKFvHoqhylWeyhET4Q+8RHMxhd1svMIDyihnFgFSlwozNj6scm
E0nV/rjdUftIHGJd5a8MftAxLcHktykDnh89fr6qTvR7gaChx3/ORL7LhLLh9qNI
Mtu+c3raqvmS
=TIe3
-----END PGP SIGNATURE-----
pgpuoc32dhUE1.pgp
Description: PGP signature
--- End Message ---
