Bug#1109377: marked as done (pycares: CVE-2025-48945)

Tue, 28 Oct 2025 08:35:19 -0700 

Your message dated Tue, 28 Oct 2025 11:21:41 -0400
with message-id <[email protected]>
and subject line Closed with pycares 4.9.0-1
has caused the Debian Bug report #1109377,
regarding pycares: CVE-2025-48945
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1109377: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109377
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: pycares
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for pycares.

CVE-2025-48945[0]:
| pycares is a Python module which provides an interface to c-ares.
| c-ares is a C library that performs DNS requests and name
| resolutions asynchronously. Prior to version 4.9.0, pycares is
| vulnerable to a use-after-free condition that occurs when a Channel
| object is garbage collected while DNS queries are still pending.
| This results in a fatal Python error and interpreter crash. The
| vulnerability has been fixed in pycares 4.9.0 by implementing a safe
| channel destruction mechanism.

https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35
Fixed by: 
https://github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4
 (v4.9.0)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-48945
    https://www.cve.org/CVERecord?id=CVE-2025-48945

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message --- This bug is fixed by the upstream commit addressing CVE-2025-48945, which is included in pycares 4.9.0-1 uploaded to unstable. 

--
Manuel Guerra <[email protected]>
  Debian Maintainer
  4096 bit RSA key ECA5016D963F871E5873CFC2E573B97D48F2E520
  keyserver: keyserver.ubuntu.com, keys.openpgp.org

--- End Message ---

Reply via email to