#1137181 bookworm-pu: package python-markdown/3.4.1-2+deb12u1

#1137181#5
Date:
2026-05-20 12:21:09 UTC
From:
To:
[ Reason ]
This upload fixes two issues:

1. CVE-2025-69534: parser crash on malformed <![ sequences. There are two
   patches for this bug: bogus_comments.diff (backported from 3.5.2, pre-CVE)
   and incomplete_markup_declaration.diff (backported from 3.8.1).

2. Bug #1137043: Fix for tests failures with python3.11 >= 3.11.2-6+deb12u7,
   where some changes were made to html.parser to address CVE-2025-6069, which
   broke Python-Markdown because it heavily relies on html.parser internals.

[ Impact ]
CVE-2025-69534 enables remote, unauthenticated Denial of Service in web
applications, documentation systems, CI/CD pipelines, and any service that
renders untrusted Markdown.

[ Tests ]
All changes are covered by automated tests, which are run during build.

[ Risks ]
The changes have been part of upstream Python-Markdown for a while, and well
covered by tests, so they should be safe.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * Backport upstream fixes for parsing bogus HTML markup (CVE-2025-69534).
  * Adapt to changes in html.parser module in the new Python, backported
    to Bookworm as part of CVE fixes (closes: #1137043).

There are also branch changes in debian/gbp.conf and debian/gitlab-ci.yml,
which are needed for the CI, but those files to not affect the built package
in any way.

[ Other info ]
See also #1137180: similar upload to Trixie.

See also #1131896: discussion about whether CVE-2025-69534 needs to be
addressed in Python 3.11 itself, not in Python-Markdown. In case it happens
at some point, Python-Markdown should not break. I am not waiting for a fix
in Python and including a workaround in Python-Markdown itself, since it is
needed for the #1137043 patch to apply cleanly anyway.

#1137181#12
Date:
2026-05-23 10:46:21 UTC
From:
To:
Hi,

Please go ahead.

Thanks,