Your message dated Sat, 13 Jun 2026 15:04:25 +0000
with message-id <[email protected]>
and subject line Bug#1139878: fixed in python-kafka 2.0.2-12
has caused the Debian Bug report #1139878,
regarding python-kafka: CVE-2026-10142
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139878: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139878
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-kafka
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for python-kafka.
CVE-2026-10142[0]:
| kafka-python prior to 2.3.2 contains a denial-of-service
| vulnerability in the protocol parser that allows a malicious broker
| or machine-in-the-middle attacker to exhaust memory or hang
| connections by sending a crafted 4-byte frame length value without
| bounds validation. Attackers can send a specially crafted frame
| length through the receive_bytes() function to trigger either a
| multi-gigabyte memory allocation or an uncaught ValueError that
| leaves the connection in a broken state, causing requests to hang
| and consumers to stop heartbeating until restart.
https://github.com/dpkp/kafka-python/pull/3019
https://github.com/dpkp/kafka-python/pull/3026
Fixed by:
https://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b
(3.0.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-10142
https://www.cve.org/CVERecord?id=CVE-2026-10142
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-kafka
Source-Version: 2.0.2-12
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-kafka, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-kafka package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Jun 2026 16:14:41 +0200
Source: python-kafka
Architecture: source
Version: 2.0.2-12
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1139822 1139878
Changes:
python-kafka (2.0.2-12) unstable; urgency=medium
.
* CVE-2026-10142 CVE-2026-10143: kafka-python contains a denial-of-service
vulnerability in the protocol parser that allows a malicious broker or
machine-in-the-middle attacker to exhaust memory or hang connections by
sending a crafted 4-byte frame length value without bounds validation.
Attackers can send a specially crafted frame length through the
receive_bytes() function to trigger either a multi-gigabyte memory
allocation or an uncaught ValueError that leaves the connection in a broken
state, causing requests to hang and consumers to stop heartbeating until
restart. Applied upstream patch: "Validate SASL/SCRAM iterations".
(Closes: #1139878, #1139822).
Checksums-Sha1:
5b9349ba28d2494a8822b22d85330ddb8d0d1803 2299 python-kafka_2.0.2-12.dsc
e1086f767263824c1991ac678fbe5193c14422a6 11276
python-kafka_2.0.2-12.debian.tar.xz
00539bdd4a7e0dfcd2e1c88b17542f1db725f74e 8877
python-kafka_2.0.2-12_amd64.buildinfo
Checksums-Sha256:
fd521e7f29eb9d32f65aaf802202ac90baec07dcf24d8a83df39c09d9e3c81b2 2299
python-kafka_2.0.2-12.dsc
772800ce1dbb107e368c2d580e78f4c7f04e38c25dccdcea7a62ff663ea45ec6 11276
python-kafka_2.0.2-12.debian.tar.xz
efbe00c389f78ca6f10aa7444a3e7ec5d4e8644a7c3cb0107ba6417b5a7983d3 8877
python-kafka_2.0.2-12_amd64.buildinfo
Files:
b6c99144d03f0d07f6f5418a54993b31 2299 python optional python-kafka_2.0.2-12.dsc
9db2c7a891cc2569002dbd013c284609 11276 python optional
python-kafka_2.0.2-12.debian.tar.xz
8b65c351b853a9187ab6e6b39a52d160 8877 python optional
python-kafka_2.0.2-12_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmotaK4ACgkQ1BatFaxr
Q/6eQA/+KUNvf6VVyPCBId0HwKjmrVYUbtg5d0ZUVWIm9fPO8UxcViDzwCXY4LDl
56Bb6jraWmE19fSza/DqBAsRQuXbdPl+ULxzhBiu5eQqZza+0jBT/HAnVPSL9yzf
pA9r+oEiZXCxP5sw7uCSDpiDwdfpfgI1iVAUD7vBF40JYEA00lPb9HbUoTpg8bdY
zoAdyWvCFRRpOxydxiA2QnBkQ59Fa/pocQgzOnWAmXtMQp+1NWQB2oJcnLOovIY/
Su8roojWqOxm3FBadQu5Oq9Ijj1x+/foSfAUyCsF2eWnMFoxmOg9pPtexFTn87HJ
F6M7NLnQkTcOl5f1OQyjsH/mt6i/qArcFRTzc/FNKPAZZ9cEfHzvOHYRxkOtQUPT
NTd2tltpY8iG7XluKZhy9Z9znNjqMevPYklY4Xodt/QdjU9P0ivfbZe2Y2rMwrrG
QKDgLS2IO9vT1/0YGglkar/zAc3iM4UItyf40MHKL02A7fuJne3l318XiR7qwXz3
mykjzH+VmaiJvbDq2yF7MX/b9aJVGoJN6hbq4oY+Hh4qxWZZ+RfcgQTTAt9Guqcp
K/mmkkSwt/VUqvYy8DS33aC/ra1HxOVa/GT0klU0Z2ygrRd0ZJ687hVF/18ukSGc
YA5y4eIP8D2tVEWK/sH2O1st1TwTW30latWXE3qWXWfjzUkaBE8=
=QUyg
-----END PGP SIGNATURE-----
pgpC2rVZS_fZY.pgp
Description: PGP signature
--- End Message ---
