Control: retitle -1 python-nacl: New upstream release 1.6.2 Control: severity -1 wishlist Control: block -1 by 1098271
On Thu, Mar 26, 2026 at 02:23:01AM +0000, Sujeet Rane wrote: > We use Ubuntu in our environment and Ubuntu copies packages from Debian. > Currently for Ubuntu Noble, the latest python3-nacl package available is > version 1.5.0 which was released in Jan 2022 (Reference - > https://www.ubuntuupdates.org/package/core/noble/main/base/python3-nacl & > https://packages.debian.org/sid/python3-nacl) > > The main python library on pip is at version 1.6.2 (Reference - > https://pypi.org/project/PyNaCl/). > > We are using python3-nacl as a default OS package on our server (Noble) and > are dealing with vulnerability CVE-2025-69277 for libsodium version 1.0.20 or > below. > The package python3-nacl is affected by the vulnerability as it uses > libsodium version 1.0.20 or below. > > I wanted to know if this package is actively maintained or not. If not, what > is the advise for the users using this package. This is a really odd way to ask for a new version of a package or for a bug to be fixed! It isn't usual, and is rather hostile, to just jump straight to "is this package actively maintained" when you aren't for example following up to an existing bug report that's been open for a long time. Yes, this package is still maintained. CVE-2025-69277 is not directly relevant to python3-nacl as packaged in Debian/Ubuntu, because (unlike the wheels on PyPI) it gets libsodium from a dependency rather than bundling its own copy. So you are mistaken that python3-nacl needs to be patched for this CVE; as somebody already told you on https://answers.launchpad.net/ubuntu/+source/python-nacl/+question/823936, the patch to libsodium23 that the Ubuntu security team already released in https://ubuntu.com/security/notices/USN-7949-1 is enough to fix your systems if you have those versions installed. You may have some kind of vulnerability scanner that tells you otherwise; if so, you should override it. I would like to upgrade to 1.6.2 for other reasons, but this is blocked on https://bugs.debian.org/1098271 being fixed in unstable. Regards, -- Colin Watson (he/him) [[email protected]]
