Your message dated Sat, 24 Jan 2026 11:34:50 +0000
with message-id <[email protected]>
and subject line Bug#1125062: fixed in python-urllib3 1.26.12-1+deb12u2
has caused the Debian Bug report #1125062,
regarding python-urllib3: CVE-2026-21441
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125062
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-urllib3.
CVE-2026-21441[0]:
| urllib3 is an HTTP client library for Python. urllib3's streaming
| API is designed for the efficient handling of large HTTP responses
| by reading the content in chunks, rather than loading the entire
| response body into memory at once. urllib3 can perform decoding or
| decompression based on the HTTP `Content-Encoding` header (e.g.,
| `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API,
| the library decompresses only the necessary bytes, enabling partial
| content consumption. Starting in version 1.22 and prior to version
| 2.6.3, for HTTP redirect responses, the library would read the
| entire response body to drain the connection and decompress the
| content unnecessarily. This decompression occurred even before any
| read methods were called, and configured read limits did not
| restrict the amount of decompressed data. As a result, there was no
| safeguard against decompression bombs. A malicious server could
| exploit this to trigger excessive resource consumption on the
| client. Applications and libraries are affected when they stream
| content from untrusted sources by setting `preload_content=False`
| when they do not disable redirects. Users should upgrade to at least
| urllib3 v2.6.3, in which the library does not decode content of
| redirect responses when `preload_content=False`. If upgrading is not
| immediately possible, disable redirects by setting `redirect=False`
| for requests to untrusted source.
https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
(2.6.3)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21441
https://www.cve.org/CVERecord?id=CVE-2026-21441
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 1.26.12-1+deb12u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated python-urllib3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Jan 2026 22:53:55 +0100
Source: python-urllib3
Architecture: source
Version: 1.26.12-1+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1108076 1122030 1125062
Changes:
python-urllib3 (1.26.12-1+deb12u2) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Redirects are not disabled when retries are disabled on PoolManager
instantiation (CVE-2025-50181) (Closes: #1108076)
* Unbounded number of links in the decompression chain (CVE-2025-66418)
(Closes: #1122030)
* Decompression-bomb safeguards bypassed when following HTTP redirects
(streaming API) (CVE-2026-21441) (Closes: #1125062)
Checksums-Sha1:
122799628707daed08d74b2eee3b79c9b15238f9 2499
python-urllib3_1.26.12-1+deb12u2.dsc
ad6bd811a3f4c3e04d86c2706c9994c3e2236e53 299806
python-urllib3_1.26.12.orig.tar.gz
a68c0904d599dde5e20350eac8e733d5ce4ced15 18844
python-urllib3_1.26.12-1+deb12u2.debian.tar.xz
f4d7b7069b3e4e72cd096c8fea4fce5d0ec5af0c 7276
python-urllib3_1.26.12-1+deb12u2_source.buildinfo
Checksums-Sha256:
ea142901b8eab6beb3c492602d9c51a1f105d4ef36ddbec58b6412a2541b1d79 2499
python-urllib3_1.26.12-1+deb12u2.dsc
3fa96cf423e6987997fc326ae8df396db2a8b7c667747d47ddd8ecba91f4a74e 299806
python-urllib3_1.26.12.orig.tar.gz
dd151f188f121ea7c216877798d0ca695762be4918547220f2ad58e615f4da5b 18844
python-urllib3_1.26.12-1+deb12u2.debian.tar.xz
8a1da8c0333ed692b1cc07bfc81bcc52084f82d5a5614150cd9fb22fdb0b61e1 7276
python-urllib3_1.26.12-1+deb12u2_source.buildinfo
Files:
33f2a517c759ada571def44a26173f72 2499 python optional
python-urllib3_1.26.12-1+deb12u2.dsc
ba308b52b9092184cf4905bc59a88fc0 299806 python optional
python-urllib3_1.26.12.orig.tar.gz
9bd223dadb0682334b7da50d9ccedb13 18844 python optional
python-urllib3_1.26.12-1+deb12u2.debian.tar.xz
7cad770e09719213f060e2259512e99e 7276 python optional
python-urllib3_1.26.12-1+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmlmUKpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EescP/R71qP3fQa0fyCmASkLTUoCWRAAZcS35
RJqd6BPo2j+ZIPnAjtOkVSn0WWkiXiM20asJE84iEvfitXQAQG5+vd/sBLQCUYC5
lHUK8QLrL5DCdhpOVoFfiquewUUr/b0HMRINvnjD/njRsaBFS10WIxMQL79rEEde
MGVmDXqbopv6BpyyTvQHro8sT2YQUZcIRuFcSIA6cQ7G1PLa3q6Kf1wrZ5W9rVwT
ucShGFt5nGUYxvbT7lVcaD/ps27KIFQ0DAdokjnPn7sQfokR85KoK8mqxOalnw9b
CE+iUnPnFciQbzMJs0tHuLgQjrvhHJj3Fpu4Z9HCzWob6OovcmERUwZFcbTXUhJG
5P7jNIwhRr8sXE1iyn24NPZpLJl2FXOeVZhN5V/jLS1AtL5aUgsZlQcO5h7ry/nb
eVivuDNDGxRlDLzV27rG/KGKIohGfpg3bXQmn1z4ZE2g51L/Rwe8Ayltg8sBIiB+
/GwRr1Mdl2yCzc9auEF0BC7CKD40EfdxpYT7hcce0W5/KFfPbhpRaztd2riYbbVl
LcJ14UUPj7+7aq1rycPOZc1hBsEoNMRvAMWzrbJYMdI0SoYtQPERZleE5vZA4YjL
KJduxHQGGpj9LCbWAUhKANC/mBmMrR81X19Bpd8kl2ImixheZnLyo8FnNHZ8VmCe
TX6h+Cv2F/dh
=hljk
-----END PGP SIGNATURE-----
pgpX_jWAUvROZ.pgp
Description: PGP signature
--- End Message ---
