[ubuntu/resolute-proposed] python-urllib3 2.5.0-1ubuntu1 (Accepted)

Hlib Korzhynskyy hlib.korzhynskyy at canonical.com
Thu Dec 11 16:53:15 UTC 2025 

python-urllib3 (2.5.0-1ubuntu1) resolute; urgency=medium

  * SECURITY UPDATE: Denial of service due to unbounded decompression chain.
    - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and
      checks in src/urllib3/response.py. Add test in test/test_response.py.
    - CVE-2025-66418
  * SECURITY UPDATE: Denial of service due to decompression bomb.
    - debian/patches/CVE-2025-66471.patch: Fix decompression bomb in
      src/urllib3/response.py. Add tests in test/test_response.py.
    - debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning
      due to intrusive backport for brotli fixes and upstream version warning
      not being appropriate for distro backporting.
    - CVE-2025-66471

Date: Thu, 11 Dec 2025 09:58:19 -0330
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/python-urllib3/2.5.0-1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 11 Dec 2025 09:58:19 -0330
Source: python-urllib3
Built-For-Profiles: noudeb
Architecture: source
Version: 2.5.0-1ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Changes:
 python-urllib3 (2.5.0-1ubuntu1) resolute; urgency=medium
 .
   * SECURITY UPDATE: Denial of service due to unbounded decompression chain.
     - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and
       checks in src/urllib3/response.py. Add test in test/test_response.py.
     - CVE-2025-66418
   * SECURITY UPDATE: Denial of service due to decompression bomb.
     - debian/patches/CVE-2025-66471.patch: Fix decompression bomb in
       src/urllib3/response.py. Add tests in test/test_response.py.
     - debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning
       due to intrusive backport for brotli fixes and upstream version warning
       not being appropriate for distro backporting.
     - CVE-2025-66471
Checksums-Sha1:
 60481fa72b9b37484800f5efa353ce18d0fc8f0e 2856 python-urllib3_2.5.0-1ubuntu1.dsc
 edafadf20a3f003858b7ee9609332992713a6ffa 45072 python-urllib3_2.5.0-1ubuntu1.debian.tar.xz
 b74e3991f7c79941cd9f51131ead8bbd4b208dd5 9197 python-urllib3_2.5.0-1ubuntu1_source.buildinfo
Checksums-Sha256:
 eeae40d8e8ebd615e1802f34e58b457a218fadb317d5b4d1228427b8d31c2ad5 2856 python-urllib3_2.5.0-1ubuntu1.dsc
 93352d6b5c134d01c4e3e218a6fac81c00213697e3520e0eb245548ee653c097 45072 python-urllib3_2.5.0-1ubuntu1.debian.tar.xz
 a6e455afa217c0ebd618ab11e7f519f7ecda6f363c130677e2a98d0f4b0a6c87 9197 python-urllib3_2.5.0-1ubuntu1_source.buildinfo
Files:
 a160d00d53994a3e3c582339d8027d60 2856 python optional python-urllib3_2.5.0-1ubuntu1.dsc
 376081e6958dfb6b3c9a5569adaa87eb 45072 python optional python-urllib3_2.5.0-1ubuntu1.debian.tar.xz
 3665d9f62e6ec66fc22c1164f018782f 9197 python optional python-urllib3_2.5.0-1ubuntu1_source.buildinfo
Original-Maintainer: Debian Python Team <team+python at tracker.debian.org>

More information about the Resolute-changes mailing list