Package: pycares
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for pycares.

CVE-2025-48945[0]:
| pycares is a Python module which provides an interface to c-ares.
| c-ares is a C library that performs DNS requests and name
| resolutions asynchronously. Prior to version 4.9.0, pycares is
| vulnerable to a use-after-free condition that occurs when a Channel
| object is garbage collected while DNS queries are still pending.
| This results in a fatal Python error and interpreter crash. The
| vulnerability has been fixed in pycares 4.9.0 by implementing a safe
| channel destruction mechanism.

https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35
Fixed by: 
https://github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4
 (v4.9.0)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-48945
    https://www.cve.org/CVERecord?id=CVE-2025-48945

Please adjust the affected versions in the BTS as needed.

Reply via email to