Bug#1109377: pycares: CVE-2025-48945
Package: pycares
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for pycares.
CVE-2025-48945[0]:
| pycares is a Python module which provides an interface to c-ares.
| c-ares is a C library that performs DNS requests and name
| resolutions asynchronously. Prior to version 4.9.0, pycares is
| vulnerable to a use-after-free condition that occurs when a Channel
| object is garbage collected while DNS queries are still pending.
| This results in a fatal Python error and interpreter crash. The
| vulnerability has been fixed in pycares 4.9.0 by implementing a safe
| channel destruction mechanism.
https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35
Fixed by: https://github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4 (v4.9.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48945
https://www.cve.org/CVERecord?id=CVE-2025-48945
Please adjust the affected versions in the BTS as needed.
Reply to:
- Prev by Date:
Wie lange!
- Next by Date:
Processed: tagging 1109372, tagging 1109373, tagging 1109374, tagging 1109378, tagging 1109376, tagging 1109377 ...
- Previous by thread:
Wie lange!
- Next by thread:
Processed: tagging 1109372, tagging 1109373, tagging 1109374, tagging 1109378, tagging 1109376, tagging 1109377 ...
- Index(es):