Ubuntu alert USN-7927-2 (python-urllib3)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7927-2] urllib3 regression | |
| Date: | Mon, 12 Jan 2026 23:08:08 +0000 | |
| Message-ID: | <E1vfR16-0002CT-Bm@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-7927-2 January 12, 2026 python-urllib3 regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 25.04 - Ubuntu 24.04 LTS Summary: USN-7927-1 introduced a regression in urllib3 Software Description: - python-urllib3: HTTP library with thread-safe connection pooling Details: USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in the zstd decompression component inside urllib3. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit the steps in a decompression chain. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. (CVE-2025-66418) Rui Xi discovered that urllib3 incorrectly handled highly compressed data. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-66471) For the brotli encoding, the fix for CVE-2025-66471 requires an additional security update in the brotli package. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 python3-urllib3 2.3.0-3ubuntu0.3 Ubuntu 25.04 python3-urllib3 2.3.0-2ubuntu0.4 Ubuntu 24.04 LTS python3-urllib3 2.0.7-1ubuntu0.5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7927-2 https://ubuntu.com/security/notices/USN-7927-1 CVE-2025-66471, https://launchpad.net/bugs/2136906 Package Information: https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0... https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0... https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmllfeYACgkQcpJm3tlz hgHk1Q/8C8gGbsgFPdMgedGY4GSnXC7g1ikxQ06edGGr1hMg2g454FSpV1Lg/N9H KBoA1PJUyAEO1DHEIw5i4NPFHIw2srhOVmheDJk7UECmDK9jvcHVnGvmlTOuLfx1 DseZcRVFXyab2crp55SVJN8cPp30z4zcHmqadpm9LNEK0iBRE6YWUeftLOpxrPC3 KtrAkR/g75J1dS9bq5LrB9Yoh/PHf/nCYU8TouTgjo3K6SNQghI+4+AB5dkZX2sx 5GvObyzpZyePNEUBManzkJK0jvSqc5cqu3HUcU8LYzLgCSbmQ8NSamHyiqy0prm6 TINd9wF9nBLDq95yghDalmtCHQrPT4RvPmU+UfCaqDG+JgH98aTSc0LIOnbacl2Z 5kCJv4AHDoOlHGwEkZTORLoo+YR7LwBM7bdh6pfBIDTB8S1/N3trLtGCMq0MRG4R R7nIqkRH8CZWh+zesj1brBlcntg9I901XLf8krQ27El82ciTfi5yicoEBksTvPlZ 3n1psA1s/hcj8raWZwDjmYFKc+gbCkFHWAjRZAzypgz/YI52eYPXwq7PmXQ6Sdlc V6ENqrEzhpVypV3SCxITPUBALul7sGlkzHuTLLQYmqrVM0V6llkIB043tD11ECCo P9WVkMEDIWAQ/V1ijpgVICjzQD1jx7u3U4qQGwViVlyuPv6C5pE= =TDEE -----END PGP SIGNATURE-----