On Fri, Mar 27, 2026 at 12:02:49AM +0000, Sujeet Rane wrote: > Sorry for the odd / hostile approach. I hope you can excuse me for it.
No worries. > Thanks for the bug report for [1]bug#1098271. I did not search for > libsodium when I went through the Debian bug tracker hence did not stumble > on it. > My intent was to get to the bottom whether this package is going to have a > new release on APT / Debian. > My reason to request the update for python3-nacl (from 1.5.9 to 1.6.2) to > fix the CVE-2025-69277 comes from reading the PyNaCl changelog on > [2]https://pypi.org/project/PyNaCl/ > Your explanation on how python3-nacl is not affected when pynacl is > affected to CVE-2025-69277 as python3-nacl gets libsodium from a > dependency and not bundling its own copy helps me understand this better. > Is there a place where this is documented so I can refer this in the > future before I start logging support / bug requests? > To suppress a vulnerability tool finding, I need to provide evidence to > justify my suppression of a vulnerability in a regulated environment to > ensure it satisfies the stakeholders and auditors. I hope you understand > this requirement and thus my intent to get to the bottom of this issue. Normally I'd say that this information should be on the security tracker, but https://security-tracker.debian.org/tracker/CVE-2025-69277 in fact doesn't mention python-nacl. CC team@security; since upstream PyNaCl released an update for this CVE due to bundling libsodium in the wheels published on PyPI, can we perhaps add a note to the tracker to say that python-nacl is unaffected in Debian due to not bundling libsodium? That might avoid some confusion. Thanks, -- Colin Watson (he/him) [[email protected]]
