Bug#1132935: marked as done (trixie-pu: package python-ldap/3.4.4-1+deb13u1)

Debian Bug Tracking System Sat, 16 May 2026 03:34:52 -0700

Your message dated Sat, 16 May 2026 10:23:18 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1132935,
regarding trixie-pu: package python-ldap/3.4.4-1+deb13u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1132935: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132935
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python-ldap
User: [email protected]
Usertags: pu

Fixes two minor security issues. Tests in debusine look
all good. Debdiff below.

Cheers,
        Moritz

diff -Nru python-ldap-3.4.4/debian/changelog python-ldap-3.4.4/debian/changelog
--- python-ldap-3.4.4/debian/changelog  2023-12-03 11:34:54.000000000 +0100
+++ python-ldap-3.4.4/debian/changelog  2026-04-06 23:33:25.000000000 +0200
@@ -1,3 +1,10 @@
+python-ldap (3.4.4-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2025-61911 (Closes: #1117858)
+  * CVE-2025-61912 (Closes: #1117859)
+
+ -- Moritz Mühlenhoff <[email protected]>  Mon, 06 Apr 2026 23:33:25 +0200
+
 python-ldap (3.4.4-1) unstable; urgency=low
 
   * New upstream version 3.4.4
diff -Nru python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch 
python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch
--- python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch       1970-01-01 
01:00:00.000000000 +0100
+++ python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch       2026-04-06 
23:32:56.000000000 +0200
@@ -0,0 +1,29 @@
+From 464fddacd63092d6e01c62a38316a713c30ca98a Mon Sep 17 00:00:00 2001
+From: lukas-eu <[email protected]>
+Date: Fri, 10 Oct 2025 19:47:46 +0200
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.4.orig/Lib/ldap/filter.py
++++ python-ldap-3.4.4/Lib/ldap/filter.py
+@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,
+       If 1 all NON-ASCII chars are escaped.
+       If 2 all chars are escaped.
+   """
++  if not isinstance(assertion_value, str):
++    raise TypeError("assertion_value must be of type str.")
+   if escape_mode:
+     r = []
+     if escape_mode==1:
+--- python-ldap-3.4.4.orig/Tests/t_ldap_filter.py
++++ python-ldap-3.4.4/Tests/t_ldap_filter.py
+@@ -49,6 +49,10 @@ class TestDN(unittest.TestCase):
+             ),
+             r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f'
+         )
++        with self.assertRaises(TypeError):
++            escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
++        with self.assertRaises(TypeError):
++            escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
+ 
+     def test_escape_filter_chars_mode2(self):
+         """
diff -Nru python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch 
python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch
--- python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch       1970-01-01 
01:00:00.000000000 +0100
+++ python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch       2026-04-06 
23:33:22.000000000 +0200
@@ -0,0 +1,28 @@
+From 9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <[email protected]>
+Date: Fri, 10 Oct 2025 10:46:45 -0700
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.4.orig/Lib/ldap/dn.py
++++ python-ldap-3.4.4/Lib/ldap/dn.py
+@@ -26,7 +26,8 @@ def escape_dn_chars(s):
+     s = s.replace('>' ,'\\>')
+     s = s.replace(';' ,'\\;')
+     s = s.replace('=' ,'\\=')
+-    s = s.replace('\000' ,'\\\000')
++    # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
++    s = s.replace('\x00' ,'\\00')
+     if s[-1]==' ':
+       s = ''.join((s[:-1],'\\ '))
+     if s[0]=='#' or s[0]==' ':
+--- python-ldap-3.4.4.orig/Tests/t_ldap_dn.py
++++ python-ldap-3.4.4/Tests/t_ldap_dn.py
+@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase):
+         self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('  '), '\\ \\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
+-        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 
'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
++        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 
'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\00\\"')
+         self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'), 
'foo\\\\\\,bar')
+ 
+     def test_str2dn(self):
diff -Nru python-ldap-3.4.4/debian/patches/series 
python-ldap-3.4.4/debian/patches/series
--- python-ldap-3.4.4/debian/patches/series     2023-12-03 11:34:54.000000000 
+0100
+++ python-ldap-3.4.4/debian/patches/series     2026-04-06 23:33:11.000000000 
+0200
@@ -1,2 +1,4 @@
 0001-Search-for-slapadd-in-sbin-path.patch
 0002-Use-local-objects.inv-in-intersphinx-mapping.patch
+CVE-2025-61911.patch
+CVE-2025-61912.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 13.5

This update has been released as part of Debian 13.5.

--- End Message ---

Bug#1132935: marked as done (trixie-pu: package python-ldap/3.4.4-1+deb13u1)

Reply via email to