Package: pycares X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for pycares. CVE-2025-48945[0]: | pycares is a Python module which provides an interface to c-ares. | c-ares is a C library that performs DNS requests and name | resolutions asynchronously. Prior to version 4.9.0, pycares is | vulnerable to a use-after-free condition that occurs when a Channel | object is garbage collected while DNS queries are still pending. | This results in a fatal Python error and interpreter crash. The | vulnerability has been fixed in pycares 4.9.0 by implementing a safe | channel destruction mechanism. https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35 Fixed by: https://github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4 (v4.9.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-48945 https://www.cve.org/CVERecord?id=CVE-2025-48945 Please adjust the affected versions in the BTS as needed.