Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.bugs.dist > #1289044
| Path | csiph.com!news.samoylyk.net!news.corradoroberto.it!bofh.it!news.nic.it!robomod |
|---|---|
| From | Moritz Muehlenhoff <jmm@debian.org> |
| Newsgroups | linux.debian.bugs.dist, linux.debian.devel.release |
| Subject | Bug#1133131: bookworm-pu: package python-ldap/3.4.3-2+deb12u1 |
| Date | Fri, 10 Apr 2026 10:20:01 +0200 |
| Message-ID | <MIffP-e2xt-1@gated-at.bofh.it> (permalink) |
| X-Original-To | Debian Bug Tracking System <submit@bugs.debian.org> |
| X-Mailbox-Line | From debian-bugs-dist-request@lists.debian.org Fri Apr 10 08:13:09 2026 |
| Old-Return-Path | <debbugs@buxtehude.debian.org> |
| X-Spam-Flag | NO |
| X-Spam-Score | -1.9 |
| Reply-To | Moritz Muehlenhoff <jmm@debian.org>, 1133131@bugs.debian.org |
| Resent-To | debian-bugs-dist@lists.debian.org |
| Resent-Cc | python-ldap@packages.debian.org, debian-release@lists.debian.org |
| X-Debian-Pr-Message | report 1133131 |
| X-Debian-Pr-Package | release.debian.org |
| X-Debian-Pr-Keywords | bookworm |
| Content-Type | text/plain; charset="utf-8" |
| MIME-Version | 1.0 |
| Content-Transfer-Encoding | base64 |
| X-Mailer | reportbug 13.2.0 |
| X-Crossassassin-Score | 2 |
| X-Debian-Message | from BTS |
| X-Mailing-List | <debian-bugs-dist@lists.debian.org> archive/latest/1963186 |
| List-ID | <debian-bugs-dist.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-bugs-dist/> |
| Approved | robomod@news.nic.it |
| Lines | 78 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Date | Fri, 10 Apr 2026 10:08:27 +0200 |
| X-Original-Message-ID | <177580850714.296498.12240163093557141835.reportbug@soju.westfalen.local> |
| Xref | csiph.com linux.debian.bugs.dist:1289044 linux.debian.devel.release:141271 |
Cross-posted to 2 groups.
Show key headers only | View raw
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python-ldap@packages.debian.org
Control: affects -1 + src:python-ldap
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes two severity security issues in python-ldap, all tests
were fine in debusine. Debdiff below.
Cheers,
Moritz
diff -Nru python-ldap-3.4.3/debian/changelog python-ldap-3.4.3/debian/changelog
--- python-ldap-3.4.3/debian/changelog 2022-10-17 00:23:02.000000000 +0200
+++ python-ldap-3.4.3/debian/changelog 2026-04-06 23:48:26.000000000 +0200
@@ -1,3 +1,10 @@
+python-ldap (3.4.3-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2025-61911 (Closes: #1117858)
+ * CVE-2025-61912 (Closes: #1117859)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Mon, 06 Apr 2026 23:48:26 +0200
+
python-ldap (3.4.3-2) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch
--- python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch 2026-04-06 23:41:29.000000000 +0200
@@ -0,0 +1,29 @@
+From 464fddacd63092d6e01c62a38316a713c30ca98a Mon Sep 17 00:00:00 2001
+From: lukas-eu <62448426+lukas-eu@users.noreply.github.com>
+Date: Fri, 10 Oct 2025 19:47:46 +0200
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.3.orig/Lib/ldap/filter.py
++++ python-ldap-3.4.3/Lib/ldap/filter.py
+@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,
+ If 1 all NON-ASCII chars are escaped.
+ If 2 all chars are escaped.
+ """
++ if not isinstance(assertion_value, str):
++ raise TypeError("assertion_value must be of type str.")
+ if escape_mode:
+ r = []
+ if escape_mode==1:
+--- python-ldap-3.4.3.orig/Tests/t_ldap_filter.py
++++ python-ldap-3.4.3/Tests/t_ldap_filter.py
+@@ -49,6 +49,10 @@ class TestDN(unittest.TestCase):
+ ),
+ r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f'
+ )
++ with self.assertRaises(TypeError):
++ escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
++ with self.assertRaises(TypeError):
++ escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
+
+ def test_escape_filter_chars_mode2(self):
+ """
diff -Nru python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch
--- python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch 2026-04-06 23:41:56.000000000 +0200
@@ -0,0 +1,28 @@
+From 9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <simon.pichugin@gmail.com>
+Date: Fri, 10 Oct 2025 10:46:45 -0700
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.3.orig/Lib/ldap/dn.py
++++ python-ldap-3.4.3/Lib/ldap/dn.py
+@@ -26,7 +26,8 @@ def escape_dn_chars(s):
+ s = s.replace('>' ,'\\>')
+ s = s.replace(';' ,'\\;')
+ s = s.replace('=' ,'\\=')
+- s = s.replace('\000' ,'\\\000')
++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
++ s = s.replace('\x00' ,'\\00')
+ if s[-1]==' ':
+ s = ''.join((s[:-1],'\\ '))
+ if s[0]=='#' or s[0]==' ':
+--- python-ldap-3.4.3.orig/Tests/t_ldap_dn.py
++++ python-ldap-3.4.3/Tests/t_ldap_dn.py
+@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase):
+ self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
+ self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ')
+ self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
+- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
++ self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\00\\"')
+ self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'), 'foo\\\\\\,bar')
+
+ def test_str2dn(self):
diff -Nru python-ldap-3.4.3/debian/patches/series python-ldap-3.4.3/debian/patches/series
--- python-ldap-3.4.3/debian/patches/series 2022-10-17 00:23:02.000000000 +0200
+++ python-ldap-3.4.3/debian/patches/series 2026-04-06 23:41:45.000000000 +0200
@@ -1,2 +1,4 @@
0001-Search-for-slapadd-in-sbin-path.patch
0002-Use-local-objects.inv-in-intersphinx-mapping.patch
+CVE-2025-61911.patch
+CVE-2025-61912.patch
Back to linux.debian.bugs.dist | Previous | Next | Find similar
Bug#1133131: bookworm-pu: package python-ldap/3.4.3-2+deb12u1 Moritz Muehlenhoff <jmm@debian.org> - 2026-04-10 10:20 +0200
csiph-web