Hi Colin, On Fri, Mar 27, 2026 at 01:43:38PM +0000, Colin Watson wrote: > On Fri, Mar 27, 2026 at 12:02:49AM +0000, Sujeet Rane wrote: > > Sorry for the odd / hostile approach. I hope you can excuse me for it. > > No worries. > > > Thanks for the bug report for [1]bug#1098271. I did not search for > > libsodium when I went through the Debian bug tracker hence did not > > stumble > > on it. > > My intent was to get to the bottom whether this package is going to have > > a > > new release on APT / Debian. > > My reason to request the update for python3-nacl (from 1.5.9 to 1.6.2) to > > fix the CVE-2025-69277 comes from reading the PyNaCl changelog on > > [2]https://pypi.org/project/PyNaCl/ > > Your explanation on how python3-nacl is not affected when pynacl is > > affected to CVE-2025-69277 as python3-nacl gets libsodium from a > > dependency and not bundling its own copy helps me understand this better. > > Is there a place where this is documented so I can refer this in the > > future before I start logging support / bug requests? > > To suppress a vulnerability tool finding, I need to provide evidence to > > justify my suppression of a vulnerability in a regulated environment to > > ensure it satisfies the stakeholders and auditors. I hope you understand > > this requirement and thus my intent to get to the bottom of this issue. > > Normally I'd say that this information should be on the security > tracker, but https://security-tracker.debian.org/tracker/CVE-2025-69277 > in fact doesn't mention python-nacl. CC team@security; since upstream > PyNaCl released an update for this CVE due to bundling libsodium in the > wheels published on PyPI, can we perhaps add a note to the tracker to > say that python-nacl is unaffected in Debian due to not bundling > libsodium? That might avoid some confusion.
We won't add python-nacl for the CVE sorry. Actually we do the other way around when we get to know a source package embedding something is not just shipping a vulnerable source but has as as well a security impact when using the vendored library (this is not always the case). But to help this case I have added python-nacl to the embedded-copies files and indicating that python-nacl while has the libsodium source (thus unfixed, embed tagged), it does build from the very start with SODIUM_INSTALL=system and so using the system version. https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d45adbdbc28b6d5e4d43d5904abf1adf8542c941 Thanks for raising that! Regards, Salvatore
