Hi Adrian, On Mon, Jun 08, 2026 at 04:48:15PM +0300, Adrian Bunk wrote: > On Sat, Apr 25, 2026 at 02:15:17PM +0200, Salvatore Bonaccorso wrote: > > Control: severity -1 grave > > > > On Sat, Apr 04, 2026 at 05:21:06PM +0200, Salvatore Bonaccorso wrote: > > > Source: py-lmdb > > > Version: 1.4.1-3 > > > Severity: important > > > Tags: security upstream > > > Forwarded: https://github.com/jnwatson/py-lmdb/issues/210 > > > X-Debbugs-Cc: [email protected], Debian Security Team > > > <[email protected]> > > > Control: found -1 1.4.0-1 > > > Control: found -1 1.0.0-1 > > > > > > Hi, > > > > > > The following vulnerabilities were published for py-lmdb. > > [...] > > > > While the issues are arguably not really RC, in Debian we have almost > > back to trixie the 1.4.1 based version. Upstream has addressed the > > CVEs, so raising the severity to RC to make sure the fix land in forky > > (for trixie an bookworm the issues still can be considered no-dsa and > > could be fixed in a point release). > > These issues are in the bundled lmdb copy[1] that is not used in the > Debian package, so that's rather minor/unimportant for py-lmdb. > > The PoCs for all 5 CVEs reproduce[2] with lmdb/sid and not anymore after > applying the patches. > > I can prepare an NMU for lmdb, but what CVE numbers to use? > Can the 5 CVEs get reassigned to lmdb where they belong, or will there > be new CVEs? > > One of the CVEs might have been forwarded to lmdb upstream.[3]
I will have a look at this in the next few days and come back to you. Regards, Salvatore
