Your message dated Mon, 28 Apr 2025 15:06:41 +0000
with message-id <e1u9q49-003y5a...@fasolo.debian.org>
and subject line Bug#1104056: fixed in python-h11 0.14.0-1.1
has caused the Debian Bug report #1104056,
regarding python-h11: CVE-2025-43859
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-h11
Version: 0.14.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-h11.
CVE-2025-43859[0]:
| h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0,
| a leniency in h11's parsing of line terminators in chunked-coding
| message bodies can lead to request smuggling vulnerabilities under
| certain conditions. This issue has been patched in version 0.16.0.
| Since exploitation requires the combination of buggy h11 with a
| buggy (reverse) proxy, fixing either component is sufficient to
| mitigate this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-43859
https://www.cve.org/CVERecord?id=CVE-2025-43859
[1] https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
[2]
https://github.com/python-hyper/h11/commit/dff7cc397a26ed4acdedd92d1bda6c8f18a6ed9f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-h11
Source-Version: 0.14.0-1.1
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-h11, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated python-h11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Apr 2025 18:48:39 +0300
Source: python-h11
Architecture: source
Version: 0.14.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1104056
Changes:
python-h11 (0.14.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-43859: Don't accept malformed chunked-encoding bodies
(Closes: #1104056)
Checksums-Sha1:
93768fd032f49a6f61e7656ba0914d7921cdc400 2090 python-h11_0.14.0-1.1.dsc
00817b52e975cc3581d8f9626322636e3b63d7b5 6340
python-h11_0.14.0-1.1.debian.tar.xz
Checksums-Sha256:
f0e7bdc7cb887249d078d24b717661b0b7c7723f590b03abd786ac00edcb43de 2090
python-h11_0.14.0-1.1.dsc
77edaa77284a4923d4c44c86ead86ee46274e9cefc0f42f8ccdb4ff6e6918c60 6340
python-h11_0.14.0-1.1.debian.tar.xz
Files:
df71c820a2e8f9ca379dfe8c78e783e3 2090 python optional python-h11_0.14.0-1.1.dsc
a7caba3fb8d97109b966cf177bef4e1a 6340 python optional
python-h11_0.14.0-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmgLsTAACgkQiNJCh6LY
mLFMcQ//ZCShOV0KwfKy+1Mt8RPHJjD2656r064vIxMTUDRysfqG9FOnDCRA6TJo
MCBnA9iVAqJWGco2c1Icgj1ZZ3w/aqY9dYxSYkfzyWwXKB1diiLKR2eomQ/9sK4A
pAf1RkWvtD1jXk729BqzBzx+zRyHmGp+gKHps1Scv5DYy+oseU7zLCoPvvKogFRD
eFjmCp23cEaJi8/3DRIIeEBoGCKDxp4JrgaMqsi9DMpOlwuQTjsvxpFaUaW7S97r
mgffRXNMiDCSctfgY1Ptgk/8LGR0mbdqjNYQc0GDQFGTMgS3L4FZLIsWVLw5L+Ak
VaYB/kehmQg9uDvM1eyZQmUICyAy2CHzkjFZUoWzdaxrin1gY1rkCWMdrd9H/s4D
GgIkGW9FRRtfV0SevTglyyD+VeiWnWPrAxn+XU/4TP63Eq6Z4vg2IaRjFe2M+xmU
cwLuZJACJ1oxhqBQSpl9UZ/L7A8KmS6IgoAQ85YQRsYghWrBm1CvN3vTHZHNf1/X
mn7P8ZKOY+lv5bOQIZVcaW3kFnYf+doq3oCgvbjbQg1bnX5v+vHFF3NnVZduQo6F
WmVh1xdGrC/kGWo2eUC7ypcVeOrF0JmT6Ssjw0gyLTZEFOsQttZnLKViRR1DCtCc
60tzz4eLnf5i9L8zQ4LuX2y88waUwjALsIfMCwebd9+r1SV0xTk=
=+1w2
-----END PGP SIGNATURE-----
pgp59GiRlK6pg.pgp
Description: PGP signature
--- End Message ---
