On Tue, Dec 09, 2025 at 10:56:39PM +0100, Salvatore Bonaccorso wrote: > Source: python-apt > Version: 3.0.0 > Severity: important > Tags: security upstream > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> > > Hi, > > The following vulnerability was published for python-apt. > > CVE-2025-6966[0]: > | NULL pointer dereference in TagSection.keys() in python-apt on APT- > | based Linux systems allows a local attacker to cause a denial of > | service (process crash) via a crafted deb822 file with a malformed > | non-UTF-8 key. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-6966 > https://www.cve.org/CVERecord?id=CVE-2025-6966 > [1] https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865 > > Please adjust the affected versions in the BTS as needed. I have attached an update for trixie-security, individual commits are in https://salsa.debian.org/jak/python-apt/-/compare/3.0.0...3.0.y?from_project_id=1584 Please let me know if you want me to upload this, or if we should stuff it into proposed-updates. This includes some fixes to adjust for branching of 3.0.y for trixie: - running the CI in trixie rather than unstable - setting the branch name for gbp It also includes updated mirror lists as generated by the pre-build script. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Attachment:
python-apt_3.0.1.diff.gz
Description: application/gzip