Source: python-h11 Version: 0.14.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-h11. CVE-2025-43859[0]: | h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, | a leniency in h11's parsing of line terminators in chunked-coding | message bodies can lead to request smuggling vulnerabilities under | certain conditions. This issue has been patched in version 0.16.0. | Since exploitation requires the combination of buggy h11 with a | buggy (reverse) proxy, fixing either component is sufficient to | mitigate this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-43859 https://www.cve.org/CVERecord?id=CVE-2025-43859 [1] https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj [2] https://github.com/python-hyper/h11/commit/dff7cc397a26ed4acdedd92d1bda6c8f18a6ed9f Please adjust the affected versions in the BTS as needed. Regards, Salvatore
