[bookworm patch] On Mon, Dec 15, 2025 at 12:58:34PM +0100, Julian Andres Klode wrote: > On Tue, Dec 09, 2025 at 10:56:39PM +0100, Salvatore Bonaccorso wrote: > > Source: python-apt > > Version: 3.0.0 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for python-apt. > > > > CVE-2025-6966[0]: > > | NULL pointer dereference in TagSection.keys() in python-apt on APT- > > | based Linux systems allows a local attacker to cause a denial of > > | service (process crash) via a crafted deb822 file with a malformed > > | non-UTF-8 key. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-6966 > > https://www.cve.org/CVERecord?id=CVE-2025-6966 > > [1] https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865 > > > > Please adjust the affected versions in the BTS as needed. > > I have attached an update for trixie-security, individual commits are > in https://salsa.debian.org/jak/python-apt/-/compare/3.0.0...3.0.y?from_project_id=1584 > > Please let me know if you want me to upload this, or if we should stuff > it into proposed-updates. > > This includes some fixes to adjust for branching of 3.0.y for trixie: > - running the CI in trixie rather than unstable > - setting the branch name for gbp > > It also includes updated mirror lists as generated by the pre-build > script. > Same for bookworm; git: https://salsa.debian.org/jak/python-apt/-/compare/2.6.0...2.6.y?from_project_id=1584 -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Attachment:
python-apt_2.6.1.diff.gz
Description: application/gzip