1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1104056: python-h11: CVE-2025-43859

    From Salvatore Bonaccorso@21:1/5 to All on Fri Apr 25 06:50:01 2025
    Source: python-h11
    Version: 0.14.0-1
    Severity: important
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for python-h11.

    CVE-2025-43859[0]:
    | h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0,
    | a leniency in h11's parsing of line terminators in chunked-coding
    | message bodies can lead to request smuggling vulnerabilities under
    | certain conditions. This issue has been patched in version 0.16.0.
    | Since exploitation requires the combination of buggy h11 with a
    | buggy (reverse) proxy, fixing either component is sufficient to
    | mitigate this issue.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-43859
    https://www.cve.org/CVERecord?id=CVE-2025-43859
    [1] https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj [2] https://github.com/python-hyper/h11/commit/dff7cc397a26ed4acdedd92d1bda6c8f18a6ed9f

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Bunk@21:1/5 to All on Fri Apr 25 18:10:01 2025
    Control: tags 1104056 + patch
    Control: tags 1104056 + pending

    Dear maintainer,

    I've prepared an NMU for python-h11 (versioned as 0.14.0-1.1) and
    uploaded it to DELAYED/5. Please feel free to tell me if I should
    cancel it.

    cu
    Adrian

    diffstat for python-h11-0.14.0 python-h11-0.14.0

    changelog | 8
    patches/0001-Validate-Chunked-Encoding-chunk-footer.patch | 169 ++++++++++++++
    patches/series | 1
    3 files changed, 178 insertions(+)

    diff -Nru python-h11-0.14.0/debian/changelog python-h11-0.14.0/debian/changelog --- python-h11-0.14.0/debian/changelog 2023-01-09 15:00:57.000000000 +0200
    +++ python-h11-0.14.0/debian/changelog 2025-04-25 18:48:39.000000000 +0300
    @@ -1,3 +1,11 @@
    +python-h11 (0.14.0-1.1) unstable; urgency=medium
    +
    + * Non-maintainer upload.
    + * CVE-2025-43859: Don't accept malformed chunked-encoding bodies
    + (Closes: #1104056)
    +
    + -- Adrian Bunk <bunk@debian.org> Fri, 25 Apr 2025 18:48:39 +0300
    +
    python-h11 (0.14.0-1) unstable; urgency=low

    * New upstream release.
    diff -Nru python-h11-0.14.0/debian/patches/0001-Validate-Chunked-Encoding-chunk-footer.patch python-h11-0.14.0/debian/patches/0001-Validate-Chunked-Encoding-chunk-footer.patch
    --- python-h11-0.14.0/debian/patches/0001-Validate-Chunked-Encoding-chunk-footer.patch 1970-01-01 02:00:00.000000000 +0200
    +++ python-h11-0.14.0/debian/patches/0001-Validate-Chunked-Encoding-chunk-footer.patch 2025-04-25 18:47:21.000000000 +0300
    @@ -0,0 +1,169 @@
    +From 8b97933b259f34e5c66a4a1ae46c6fc176e26999 Mon Sep 17 00:00:00 2001
    +From: "N