Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1289044

Bug#1133131: bookworm-pu: package python-ldap/3.4.3-2+deb12u1

From Moritz Muehlenhoff <jmm@debian.org>
Newsgroups linux.debian.bugs.dist, linux.debian.devel.release
Subject Bug#1133131: bookworm-pu: package python-ldap/3.4.3-2+deb12u1
Date 2026-04-10 10:20 +0200
Message-ID <MIffP-e2xt-1@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python-ldap@packages.debian.org
Control: affects -1 + src:python-ldap
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes two severity security issues in python-ldap, all tests
were fine in debusine. Debdiff below.

Cheers,
        Moritz

diff -Nru python-ldap-3.4.3/debian/changelog python-ldap-3.4.3/debian/changelog
--- python-ldap-3.4.3/debian/changelog	2022-10-17 00:23:02.000000000 +0200
+++ python-ldap-3.4.3/debian/changelog	2026-04-06 23:48:26.000000000 +0200
@@ -1,3 +1,10 @@
+python-ldap (3.4.3-2+deb12u1) bookworm; urgency=medium
+
+  * CVE-2025-61911 (Closes: #1117858)
+  * CVE-2025-61912 (Closes: #1117859)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 06 Apr 2026 23:48:26 +0200
+
 python-ldap (3.4.3-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch
--- python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-ldap-3.4.3/debian/patches/CVE-2025-61911.patch	2026-04-06 23:41:29.000000000 +0200
@@ -0,0 +1,29 @@
+From 464fddacd63092d6e01c62a38316a713c30ca98a Mon Sep 17 00:00:00 2001
+From: lukas-eu <62448426+lukas-eu@users.noreply.github.com>
+Date: Fri, 10 Oct 2025 19:47:46 +0200
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.3.orig/Lib/ldap/filter.py
++++ python-ldap-3.4.3/Lib/ldap/filter.py
+@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,
+       If 1 all NON-ASCII chars are escaped.
+       If 2 all chars are escaped.
+   """
++  if not isinstance(assertion_value, str):
++    raise TypeError("assertion_value must be of type str.")
+   if escape_mode:
+     r = []
+     if escape_mode==1:
+--- python-ldap-3.4.3.orig/Tests/t_ldap_filter.py
++++ python-ldap-3.4.3/Tests/t_ldap_filter.py
+@@ -49,6 +49,10 @@ class TestDN(unittest.TestCase):
+             ),
+             r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f'
+         )
++        with self.assertRaises(TypeError):
++            escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
++        with self.assertRaises(TypeError):
++            escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
+ 
+     def test_escape_filter_chars_mode2(self):
+         """
diff -Nru python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch
--- python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-ldap-3.4.3/debian/patches/CVE-2025-61912.patch	2026-04-06 23:41:56.000000000 +0200
@@ -0,0 +1,28 @@
+From 9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <simon.pichugin@gmail.com>
+Date: Fri, 10 Oct 2025 10:46:45 -0700
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.3.orig/Lib/ldap/dn.py
++++ python-ldap-3.4.3/Lib/ldap/dn.py
+@@ -26,7 +26,8 @@ def escape_dn_chars(s):
+     s = s.replace('>' ,'\\>')
+     s = s.replace(';' ,'\\;')
+     s = s.replace('=' ,'\\=')
+-    s = s.replace('\000' ,'\\\000')
++    # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
++    s = s.replace('\x00' ,'\\00')
+     if s[-1]==' ':
+       s = ''.join((s[:-1],'\\ '))
+     if s[0]=='#' or s[0]==' ':
+--- python-ldap-3.4.3.orig/Tests/t_ldap_dn.py
++++ python-ldap-3.4.3/Tests/t_ldap_dn.py
+@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase):
+         self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('  '), '\\ \\ ')
+         self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
+-        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
++        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\00\\"')
+         self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'), 'foo\\\\\\,bar')
+ 
+     def test_str2dn(self):
diff -Nru python-ldap-3.4.3/debian/patches/series python-ldap-3.4.3/debian/patches/series
--- python-ldap-3.4.3/debian/patches/series	2022-10-17 00:23:02.000000000 +0200
+++ python-ldap-3.4.3/debian/patches/series	2026-04-06 23:41:45.000000000 +0200
@@ -1,2 +1,4 @@
 0001-Search-for-slapadd-in-sbin-path.patch
 0002-Use-local-objects.inv-in-intersphinx-mapping.patch
+CVE-2025-61911.patch
+CVE-2025-61912.patch

Back to linux.debian.bugs.dist | Previous | Next | Find similar

Thread

Bug#1133131: bookworm-pu: package python-ldap/3.4.3-2+deb12u1 Moritz Muehlenhoff <jmm@debian.org> - 2026-04-10 10:20 +0200

csiph-web