Your message dated Fri, 03 Apr 2026 19:53:11 +0000
with message-id <[email protected]>
and subject line Bug#1131371: fixed in pyasn1 0.6.1-1+deb13u2
has caused the Debian Bug report #1131371,
regarding pyasn1: CVE-2026-30922
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131371: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131371
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pyasn1
Version: 0.6.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pyasn1.
CVE-2026-30922[0]:
| pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the
| `pyasn1` library is vulnerable to a Denial of Service (DoS) attack
| caused by uncontrolled recursion when decoding ASN.1 data with
| deeply nested structures. An attacker can supply a crafted payload
| containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`)
| tags with "Indefinite Length" (`0x80`) markers. This forces the
| decoder to recursively call itself until the Python interpreter
| crashes with a `RecursionError` or consumes all available memory
| (OOM), crashing the host application. This is a distinct
| vulnerability from CVE-2026-23490 (which addressed integer overflows
| in OID decoding). The fix for CVE-2026-23490
| (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion
| issue. Version 0.6.3 fixes this specific issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-30922
https://www.cve.org/CVERecord?id=CVE-2026-30922
[1] https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r
[2]
https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pyasn1
Source-Version: 0.6.1-1+deb13u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pyasn1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated pyasn1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Mar 2026 17:21:15 +0100
Source: pyasn1
Architecture: source
Version: 0.6.1-1+deb13u2
Distribution: trixie-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1131371
Changes:
pyasn1 (0.6.1-1+deb13u2) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Denial of Service in pyasn1 via Unbounded Recursion (CVE-2026-30922)
(Closes: #1131371)
Checksums-Sha1:
7fad77c32cd7257579144c7e653124b17007b032 2443 pyasn1_0.6.1-1+deb13u2.dsc
9b575541fde16e01f0cf88a07d59581a070b2237 9384
pyasn1_0.6.1-1+deb13u2.debian.tar.xz
a8cee9fdbef04d2c2b1c09117fde1754c61783a0 6754
pyasn1_0.6.1-1+deb13u2_source.buildinfo
Checksums-Sha256:
02dd9a447160e17957fcd2fabb596e53fc41b469db90a677db9eec14d8101875 2443
pyasn1_0.6.1-1+deb13u2.dsc
5b0b5bbbeeb67d8c00e67fbaf10b7157d96ae56c07783a192920ba3a5593d786 9384
pyasn1_0.6.1-1+deb13u2.debian.tar.xz
2fefbb66b34f571394f5117981fd8be45141d5c7ae081b207f188634ab114ec4 6754
pyasn1_0.6.1-1+deb13u2_source.buildinfo
Files:
0bf00463af723f28a4021be03909e82a 2443 python optional
pyasn1_0.6.1-1+deb13u2.dsc
f4e6f72958a9a8b057e5bc5f71266483 9384 python optional
pyasn1_0.6.1-1+deb13u2.debian.tar.xz
71949faf4720c5f04d111c222be32849 6754 python optional
pyasn1_0.6.1-1+deb13u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmnHAa5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EnGwP/j5pWwxfy46tkYtBWQrnhoyrfQ4j4XPg
GthAqDOu/GST0gju9NYz6P6eZ6ufMkYjtSiuxG93DAsue4QZTiwCxnepUFp60Fea
5rtWByk5CAqJJrZA78zrWN9ZQDL6A+pxqqYbO3peTX5fj0IVVEwbmwO+75iRqKmW
twJ2R7HsK/l2VtlI2B5mj7fRA+dw+X6wE98JRI3Euwq5YdxZRLggvp8bnZPh2nDw
l/gLwFXQ14j0S9pExPEUyjoRoU/1SULf+YclCDKpN4BjU4+it32cakUOXXnq73s0
SwkeIb5GcCAPUxSAvJjgU7Gruq04p6zh12V8zIWudqXN3yaM4RA+ks/fDrBL01kU
2MxIIYliGbLhAnuxT1xjW2V+J/C/4sqOIwgD13jg4T5P3OTrj2Ithaihl/b6jCaE
HRmpG7E3TUjxBvkffn5JJBiOUl4x1bgD+XhSN3bUDYo0Bv9BuA7CWm+mzslJNPzM
KP7Rb6V71aa6t2FnS1IkOW8N0SaH85zMeH54jWtCQpp0KRZ4U3Ng7McJM9sX0a//
jvmmL2GYM+qqGmO6f0ARQ35vuyJYPlWWvhkRJ55i5ph1kwIWvU0fDXylgkRbF7dd
SdmdQwYu0GT8eaJJzpqZ6G6s95HzjtW5OiYi/gRZPTphk9Qf9UgRnHldPShE5l/u
VBhScdFEMuD6
=FbAy
-----END PGP SIGNATURE-----
pgppQEYBFd4nG.pgp
Description: PGP signature
--- End Message ---
