Your message dated Mon, 15 Jun 2026 09:49:37 +0000
with message-id <[email protected]>
and subject line Bug#1139189: fixed in weasyprint 69.0-1
has caused the Debian Bug report #1139189,
regarding weasyprint: CVE-2025-68616: SSRF protection bypass via HTTP redirects
in default_url_fetcher
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139189
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: weasyprint
Version: 67.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
Dear Maintainer,
WeasyPrint is affected by CVE-2025-68616 (GHSA-983w-rhvv-gwmv), a
server-side request forgery (SSRF) protection bypass in all versions
prior to 68.0.
A url_fetcher supplied by an application to validate and block URLs can
be bypassed: the underlying urllib follows HTTP redirects automatically
without re-validating the redirect target against the application's
policy (TOCTOU). An attacker can therefore reach internal resources such
as localhost services or cloud metadata endpoints despite the filter.
(CWE-918 / CWE-601, CVSS 7.5.)
Fixed upstream in 68.0, which sets allow_redirects=False in the
URLFetcher and deprecates default_url_fetcher in favour of a new
URLFetcher class. Current upstream release is 69.0.
All suites currently ship affected versions:
bullseye 51-2, bookworm 57.2-1, trixie 62.3-1, testing/sid 67.0-1.
Note: this CVE is currently marked NOT-FOR-US in the security tracker,
which appears incorrect since weasyprint is packaged in Debian
(src:weasyprint, main). I am also submitting a merge request against the
security-tracker to correct this.
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-68616
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
-- System Information:
Debian Release: kali-rolling
Architecture: arm64 (aarch64)
Kernel: Linux 6.12.34+rpt-rpi-2712 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: weasyprint
Source-Version: 69.0-1
Done: Stéphane Glondu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
weasyprint, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stéphane Glondu <[email protected]> (supplier of updated weasyprint package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Jun 2026 11:12:50 +0200
Source: weasyprint
Architecture: source
Version: 69.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stéphane Glondu <[email protected]>
Closes: 1138942 1139189
Changes:
weasyprint (69.0-1) unstable; urgency=medium
.
[ Stéphane Glondu ]
* New upstream release (Closes: #1139189)
* Replace Scott by myself in Uploaders (Closes: #1138942)
.
[ Michael R. Crusoe ]
* d/rules: simplifications
* Enable running most of the tests at build time and as autopkgtests.
Checksums-Sha1:
6df1422c54b1f734ce9d34718ac2099c1a136b91 2086 weasyprint_69.0-1.dsc
97dc1981e7fe80c01b4ab5b4d6d49da9fb0eb54d 1549834 weasyprint_69.0.orig.tar.gz
bee58de45a09200c89b3fce8ba18e371e28571fe 5036 weasyprint_69.0-1.debian.tar.xz
Checksums-Sha256:
43378af0ddca8e49808c903b46bf8c5c8e16cd6670c59e875a29f70046d52c1b 2086
weasyprint_69.0-1.dsc
a7a32f39ca16bd82ef11de99c92ea4b5f14951c9033af035e451ce4f4ee0a88c 1549834
weasyprint_69.0.orig.tar.gz
dc3350a420b813e6fca2d4aca1bb637ca51b9d8bec0370328f9362f9e2b60cfd 5036
weasyprint_69.0-1.debian.tar.xz
Files:
d41847d174060d4b69be3bfc6dcd6c2b 2086 text optional weasyprint_69.0-1.dsc
267e1bd34e02655399bc72b45f697be3 1549834 text optional
weasyprint_69.0.orig.tar.gz
5fc5e6973e5bba0fe40c8f63866ce1ed 5036 text optional
weasyprint_69.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEbeJOl+yohsxW5iUOIbju8bGJMIEFAmovxecSHGdsb25kdUBk
ZWJpYW4ub3JnAAoJECG47vGxiTCB23gH/1MitwUBJ1UgzRayW0f3Bj6L9OXgmAiK
bgVKY/IBkRNOJfDcO5b1meKsfKlTH8XvC3iehxkcD4WvUp0VMc8Mdq1fig2awIm7
rokbSfM42pQryprJr3ofZ/zoBYYt/VWw1sidNtXiQThjUnlpsKN3YKCfa3BUz1Mf
SWol9ykhsIzqayPz+6VafIeNLBBB0wRtAsQloUkOFzOABUDx2iosGPUuzSa06jtR
JjBLlub9D4EJ92saClhae0DJe3rvH38B8/73Q3m5CB6UPiM4R3QbJ/3AWK2GZsz8
jCGBaJVwnTDWqxm+4RA08Y+dgSZJ511PoYXGLRUbP3fsG6hVeL1c8i8=
=5S0k
-----END PGP SIGNATURE-----
pgpzJRXalALdq.pgp
Description: PGP signature
--- End Message ---
