Your message dated Sat, 03 May 2025 15:17:10 +0000
with message-id <[email protected]>
and subject line Bug#1104056: fixed in python-h11 0.14.0-1.1~deb12u1
has caused the Debian Bug report #1104056,
regarding python-h11: CVE-2025-43859
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1104056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104056
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-h11
Version: 0.14.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-h11.

CVE-2025-43859[0]:
| h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0,
| a leniency in h11's parsing of line terminators in chunked-coding
| message bodies can lead to request smuggling vulnerabilities under
| certain conditions. This issue has been patched in version 0.16.0.
| Since exploitation requires the combination of buggy h11 with a
| buggy (reverse) proxy, fixing either component is sufficient to
| mitigate this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-43859
    https://www.cve.org/CVERecord?id=CVE-2025-43859
[1] https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
[2] 
https://github.com/python-hyper/h11/commit/dff7cc397a26ed4acdedd92d1bda6c8f18a6ed9f

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-h11
Source-Version: 0.14.0-1.1~deb12u1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-h11, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-h11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 Apr 2025 13:46:55 +0300
Source: python-h11
Architecture: source
Version: 0.14.0-1.1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1104056
Changes:
 python-h11 (0.14.0-1.1~deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload.
   * Rebuild for bookworm.
 .
 python-h11 (0.14.0-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2025-43859: Don't accept malformed chunked-encoding bodies
     (Closes: #1104056)
Checksums-Sha1:
 2d004d878e5614363f08f57150278e0416ff381e 2122 python-h11_0.14.0-1.1~deb12u1.dsc
 7cc763e22b8977cc36b8ef229c1c2503ebd3d8e3 106618 python-h11_0.14.0.orig.tar.gz
 2a16acc14ccf057168405a5811ecff724c17b6f8 6380 
python-h11_0.14.0-1.1~deb12u1.debian.tar.xz
Checksums-Sha256:
 d3b1c585f2a42e3cc27fe20fcfced71fe4d57300c975dcfeeeb3259d2afbf4b0 2122 
python-h11_0.14.0-1.1~deb12u1.dsc
 d65a85d094b76846653fa7c3b45abdaf8b4f055c643bb6eec623f1311636a474 106618 
python-h11_0.14.0.orig.tar.gz
 d622ebae0d0ec47dc5d467f63767d6769a4d0bf8220bee0ef0c1d387d9968c8f 6380 
python-h11_0.14.0-1.1~deb12u1.debian.tar.xz
Files:
 28ff5249e3ef8a11af60962dd26aac70 2122 python optional 
python-h11_0.14.0-1.1~deb12u1.dsc
 34ef2720be2c6fd236faa7fc606cfda9 106618 python optional 
python-h11_0.14.0.orig.tar.gz
 d1cc1537bfad7eda12d9f33d3e8258a9 6380 python optional 
python-h11_0.14.0-1.1~deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmgSkRoACgkQiNJCh6LY
mLEhIA/+N4hfLmFAu94H+4aKVjCwn8gtvR1e9pEYB7boktR3Y5oKhkSpacmVjjro
Cym+beeBgtNelywcmmSoxWhQBYZsM9mb/BwrnGaBW0D4n82JypezYczgSyScBoE0
yROU/RhvouqSKqH0K4VARLapEfIAJJEt8CMN0r8xVX0uYKjTUV/IK9iTR8q+d8cJ
Uw/6oLSaqs+gvbMFbY1Eh0cMfUQs9z/cDRcrmH1o4NFs6HaInsSXK7s1Y+BlfesS
0nggXN0wnZCf7qeOOd6czS8mF1UKtQE4xgzqVx0sVLEqTYxfCGrWHrnRRfY4IjDs
FSDxSK07Qap0XMdd0SQazOSqqh3h4WCy33yKazgZtKK+as4Vj3WuqE3fWGcDjRmV
3qMT6E2BaVWe13/6hzKMl1EikJtn/ZdRu9G6UcWhVJrLxG9cUAfVKNyPc+PRPh10
jfPrDg2lgM54lku9EZLfMRRYWUKFDRD3QAssya/7QM2wj1Ot8XwWzVCpPtAmLInc
rU6YJ/6pd9+w+EHAyze//dj2/4FEQrDtPQdAv34/auCf248FeZ3m3YCaRXFft49u
vKRalSrlOOWAEQZ+rvDWUVvUL/Gq53NsBWsRLp/WtGCZtXHcjOVQaqwHWpmDuUvs
fLBwYrb/w7nc21mUHmU+jD/gxqJBVRJViLpAwv8wSj5qWXf3lGU=
=XiG7
-----END PGP SIGNATURE-----

Attachment: pgpRNX2TFtJ1R.pgp
Description: PGP signature


--- End Message ---

Reply via email to