Ubuntu alert USN-7927-3 (python-urllib3)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7927-3] urllib3 regression | |
| Date: | Tue, 13 Jan 2026 16:25:13 +0000 | |
| Message-ID: | <E1vfhCj-0007hy-Q0@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-7927-3 January 13, 2026 python-urllib3 regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 25.04 - Ubuntu 24.04 LTS Summary: USN-7927-1 introduced a regression in urllib3 Software Description: - python-urllib3: HTTP library with thread-safe connection pooling Details: USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in urllib3 when decompressing zstd data. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit the steps in a decompression chain. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. (CVE-2025-66418) Rui Xi discovered that urllib3 incorrectly handled highly compressed data. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-66471) For the brotli encoding, the fix for CVE-2025-66471 requires an additional security update in the brotli package. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 python3-urllib3 2.3.0-3ubuntu0.4 Ubuntu 25.04 python3-urllib3 2.3.0-2ubuntu0.5 Ubuntu 24.04 LTS python3-urllib3 2.0.7-1ubuntu0.6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7927-3 https://ubuntu.com/security/notices/USN-7927-2 https://ubuntu.com/security/notices/USN-7927-1 CVE-2025-66471, https://bugs.launchpad.net/bugs/2136906 Package Information: https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0... https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0... https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmlmccwACgkQcpJm3tlz hgEDWBAAsQ37xtDCor9Z/Jfvh/AHcTtiZVVIVx4vQSSH6kSUwScGJm/POUxWEppK nZp5klgxyvg5J2RvO5Ogp1ELDeXxVgNt2xfHpT7LO2uuLwqpkkpYS1IW0F5448QZ qOTLLpPwcifa8PDZ2wYN7VZehHRA/4u3c95istvehuxI1iBII5tGOIIEr311Jg5V JwPSZWxjqUMueWcxzEA36mwUbJksQeNufSqkcpEdcRpEu2hlGa6PHmqr3oIc4vMR oX4ko/b08FR6vp7xf4wDR1Em5H4mfZKn7bU6y6NrsxikLtrS7PA1lc9D45Y6gHSn /7CR89+LiKarArST3xK0UAZlutqzBpmlhltqOCN7TdaXEICfGWdqPZw1w9kq84Wa ClCFkqkhG7tfZHDkdmOFWCTacaYYWAKLOUUS+KiqeT+RRdj+pseH5ajXGw7/ApEb mxMgpUcZhH9EnNSNuvmW5pqfw68zRBCe2Q2luQb4kkIeTVeUum5LOGKhLAvmSkxs Zs8AEhnN/8S+ZgmaNGgmZ0mEuyjeLoF/uThW15aWrR4eq2Cem+5nxxjqQf9Kp7In dM+xb6waDXhjh3lbiL18D6svwUqqozR0II8ovJX5Zslrx8F6l1UeMescqBdDVj8C sI3sPdlLhBlCnOuQZ5ozCvnqpb56/n5jSYNRfPnJ556zX4XKw60= =1lb+ -----END PGP SIGNATURE-----