Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python-ldap
User: [email protected]
Usertags: pu
Fixes two minor security issues. Tests in debusine look
all good. Debdiff below.
Cheers,
Moritz
diff -Nru python-ldap-3.4.4/debian/changelog python-ldap-3.4.4/debian/changelog
--- python-ldap-3.4.4/debian/changelog 2023-12-03 11:34:54.000000000 +0100
+++ python-ldap-3.4.4/debian/changelog 2026-04-06 23:33:25.000000000 +0200
@@ -1,3 +1,10 @@
+python-ldap (3.4.4-1+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-61911 (Closes: #1117858)
+ * CVE-2025-61912 (Closes: #1117859)
+
+ -- Moritz Mühlenhoff <[email protected]> Mon, 06 Apr 2026 23:33:25 +0200
+
python-ldap (3.4.4-1) unstable; urgency=low
* New upstream version 3.4.4
diff -Nru python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch
python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch
--- python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch 1970-01-01
01:00:00.000000000 +0100
+++ python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch 2026-04-06
23:32:56.000000000 +0200
@@ -0,0 +1,29 @@
+From 464fddacd63092d6e01c62a38316a713c30ca98a Mon Sep 17 00:00:00 2001
+From: lukas-eu <[email protected]>
+Date: Fri, 10 Oct 2025 19:47:46 +0200
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.4.orig/Lib/ldap/filter.py
++++ python-ldap-3.4.4/Lib/ldap/filter.py
+@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,
+ If 1 all NON-ASCII chars are escaped.
+ If 2 all chars are escaped.
+ """
++ if not isinstance(assertion_value, str):
++ raise TypeError("assertion_value must be of type str.")
+ if escape_mode:
+ r = []
+ if escape_mode==1:
+--- python-ldap-3.4.4.orig/Tests/t_ldap_filter.py
++++ python-ldap-3.4.4/Tests/t_ldap_filter.py
+@@ -49,6 +49,10 @@ class TestDN(unittest.TestCase):
+ ),
+ r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f'
+ )
++ with self.assertRaises(TypeError):
++ escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
++ with self.assertRaises(TypeError):
++ escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
+
+ def test_escape_filter_chars_mode2(self):
+ """
diff -Nru python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch
python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch
--- python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch 1970-01-01
01:00:00.000000000 +0100
+++ python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch 2026-04-06
23:33:22.000000000 +0200
@@ -0,0 +1,28 @@
+From 9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <[email protected]>
+Date: Fri, 10 Oct 2025 10:46:45 -0700
+Subject: [PATCH] Merge commit from fork
+
+--- python-ldap-3.4.4.orig/Lib/ldap/dn.py
++++ python-ldap-3.4.4/Lib/ldap/dn.py
+@@ -26,7 +26,8 @@ def escape_dn_chars(s):
+ s = s.replace('>' ,'\\>')
+ s = s.replace(';' ,'\\;')
+ s = s.replace('=' ,'\\=')
+- s = s.replace('\000' ,'\\\000')
++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
++ s = s.replace('\x00' ,'\\00')
+ if s[-1]==' ':
+ s = ''.join((s[:-1],'\\ '))
+ if s[0]=='#' or s[0]==' ':
+--- python-ldap-3.4.4.orig/Tests/t_ldap_dn.py
++++ python-ldap-3.4.4/Tests/t_ldap_dn.py
+@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase):
+ self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
+ self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ')
+ self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
+- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'),
'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
++ self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'),
'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\00\\"')
+ self.assertEqual(ldap.dn.escape_dn_chars('foo\\,bar'),
'foo\\\\\\,bar')
+
+ def test_str2dn(self):
diff -Nru python-ldap-3.4.4/debian/patches/series
python-ldap-3.4.4/debian/patches/series
--- python-ldap-3.4.4/debian/patches/series 2023-12-03 11:34:54.000000000
+0100
+++ python-ldap-3.4.4/debian/patches/series 2026-04-06 23:33:11.000000000
+0200
@@ -1,2 +1,4 @@
0001-Search-for-slapadd-in-sbin-path.patch
0002-Use-local-objects.inv-in-intersphinx-mapping.patch
+CVE-2025-61911.patch
+CVE-2025-61912.patch
