[ubuntu/questing-security] python-urllib3 2.3.0-3ubuntu0.1 (Accepted)
Hlib Korzhynskyy
hlib.korzhynskyy at canonical.com
Thu Dec 11 15:05:49 UTC 2025
python-urllib3 (2.3.0-3ubuntu0.1) questing-security; urgency=medium
* SECURITY UPDATE: Denial of service due to unbounded decompression chain.
- debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and
checks in src/urllib3/response.py. Add test in test/test_response.py.
- CVE-2025-66418
* SECURITY UPDATE: Denial of service due to decompression bomb.
- debian/patches/CVE-2025-66471.patch: Fix decompression bomb in
src/urllib3/response.py. Add tests in test/test_response.py.
- debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning
due to intrusive backport for brotli fixes and upstream version warning
not being appropriate for distro backporting.
- CVE-2025-66471
Date: 2025-12-10 20:09:10.391356+00:00
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0-3ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list