On Mon, Dec 08, 2025 at 10:16:39PM +0100, Salvatore Bonaccorso wrote:
The bump of python-scrapy adds support to mitigate CVE-2025-6176. But to be effective the brotli dependency needs to be bumped to the version which adds support for limiting output size in Python streaming decompression (Cf #1122212).
For the record, there is a runtime check that stops Scrapy from using older brotli (it checks for `brotli.Decompressor.can_accept_more_data` existing), which indeed happens with the sid version. So adding a version restriction to the Recommends makes sense, but it's not a security-related issue to not have it.
-- WBR, wRAR
signature.asc
Description: PGP signature
