On Sat, Apr 25, 2026 at 02:15:17PM +0200, Salvatore Bonaccorso wrote: > Control: severity -1 grave > > On Sat, Apr 04, 2026 at 05:21:06PM +0200, Salvatore Bonaccorso wrote: > > Source: py-lmdb > > Version: 1.4.1-3 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/jnwatson/py-lmdb/issues/210 > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > Control: found -1 1.4.0-1 > > Control: found -1 1.0.0-1 > > > > Hi, > > > > The following vulnerabilities were published for py-lmdb. > [...] > > While the issues are arguably not really RC, in Debian we have almost > back to trixie the 1.4.1 based version. Upstream has addressed the > CVEs, so raising the severity to RC to make sure the fix land in forky > (for trixie an bookworm the issues still can be considered no-dsa and > could be fixed in a point release).
These issues are in the bundled lmdb copy[1] that is not used in the Debian package, so that's rather minor/unimportant for py-lmdb. The PoCs for all 5 CVEs reproduce[2] with lmdb/sid and not anymore after applying the patches. I can prepare an NMU for lmdb, but what CVE numbers to use? Can the 5 CVEs get reassigned to lmdb where they belong, or will there be new CVEs? One of the CVEs might have been forwarded to lmdb upstream.[3] > Regards, > Salvatore cu Adrian [1] https://github.com/jnwatson/py-lmdb/issues/210 [2] without python3-lmdb installed, these are C reproducers [3] https://github.com/jnwatson/py-lmdb/blob/master/upstream-bug-cve-2019-16224.md
