|
|
Log in / Subscribe / Register

Debian alert DLA-4446-1 (python-urllib3)



From:
              Guilhem Moulin <guilhem@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4446-1] python-urllib3 security update


Date:
              Fri, 23 Jan 2026 08:24:45 +0100


Message-ID:
              <aXMiPQfg_qwNALPq@debian.org>


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4446-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
January 23, 2026                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : python-urllib3
Version        : 1.26.5-1~exp1+deb11u3
CVE ID         : CVE-2026-21441
Debian Bug     : 1125062

It was discovered that python-urllib3, an HTTP library with thread-safe
connection pooling for Python, was vulnerable to decompression bomb when
following HTTP redirects via the streaming API, which could lead to
Denial of Service.

For Debian 11 bullseye, this problem has been fixed in version
1.26.5-1~exp1+deb11u3.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-urllib3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmlzIj0ACgkQ05pJnDwh
pVLQhQ//UfTjPHxBgkcSLPdDWr4sRYm/XEbEzSMljmQX61VIAkBSPNavDrQuEf5y
mJ7OAke+pDNApge4HgWnw3PEMSgWnKeO+CHNAh95VrYbqdloJIOhxw2qlK6lWIVq
d7gQz8qDh9Fc2yIv8PGBADbYxgJPdFkFweLXnKnV8BfA+SA0HhGZcm1HqwY27FNU
KGATtcLVtTJ7BEngogrtVv0wCeWRJcfu8xuT0q0tD5IvX/aWmRanQw257Sd7qjZq
CcYoxzl98ZQaaa8lha4nM9iExi6HfUlJxydy0UN2rKt9HoEyne3uBmlGsxYVA+XV
UsgYvyuolziFeUyrJH48XZCB5sHzB6QOaDIXuhfyMxaMPENViCi0/YJZEdPZewDF
YaOT3wdGRTdKil7/hsNsH8PcgqejdKN811QkLgF6zbXoWdrsWCWLTOGWTl7rvbU/
FjiSNB3td+3pjdEq6ZQcZNxOXJONgIYGz2lRuBM+tX89SYWSCvgJaLgDTPW3oJdj
Tx9lT6CemR6vuOaQ2hvbP8zOjVLYAu7QeBW7rwYhNe7+Px3dH4Q2nDN4Cn/Hshgk
VcLg2wDh+xxBL2tZSudebrglbsMVh+6UcmMOGj9fr+QW6BhOz14fsxfC3RKF24MJ
143jkH6MIqsf9/y0WuuL4/Pol136vpO0MMcR1i/+FWXh2U+t6ig=
=hNgq
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds