- Package:
- src:python-daphne
- Source:
- src:python-daphne
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-24 11:07:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for python-daphne. CVE-2026-44545[0]: | daphne before 4.2.2 did not pass maxFramePayloadSize or | maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because | Autobahn defaults both values to 0 (unlimited), an unauthenticated | remote attacker could send arbitrarily large WebSocket messages or | frames, causing excessive memory consumption and a denial of | service. CVE-2026-44546[1]: | daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's | parsed headers and feeds it to autobahn for WebSocket handshake | processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or | \x85 as header line separators, but autobahn decodes header values | to str and calls splitlines(). An attacker can exploit this parser | differential to inject additional headers into the ASGI scope passed | to the application. daphne now rejects requests with these bytes in | any header value with a 400 response. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44545 https://www.cve.org/CVERecord?id=CVE-2026-44545 [1] https://security-tracker.debian.org/tracker/CVE-2026-44546 https://www.cve.org/CVERecord?id=CVE-2026-44546 Regards, Salvatore
Dear maintainer, I've prepared an NMU for python-daphne (versioned as 4.2.2-0.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
We believe that the bug you reported is fixed in the latest version of
python-daphne, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138864@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated python-daphne package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 22 Jun 2026 22:44:26 +0300
Source: python-daphne
Architecture: source
Version: 4.2.2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1138864
Changes:
python-daphne (4.2.2-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2026-44545: DoS via unbounded WebSocket message sizes
- CVE-2026-44546: Header injection on WebSocket upgrade path
(Closes: #1138864)
Checksums-Sha1:
f5690efa7daa92ebc0e2bc8126adcc65f9555fdd 2295 python-daphne_4.2.2-0.1.dsc
8d4465faa0388f0cf828fb4ec9aafe51da0a7fcb 46310 python-daphne_4.2.2.orig.tar.gz
37417f62bb6bd5ae6fd57bcb49eb51a7b81455c9 7084 python-daphne_4.2.2-0.1.debian.tar.xz
Checksums-Sha256:
d64946ce94add1be531d1f5238668ad552321f7d10846e2e9be8826a719faa0b 2295 python-daphne_4.2.2-0.1.dsc
8b43b0e1f1a15ea255ec08a8ba1cc301515e839b9d5a2d57669bdbb43dcdfa2a 46310 python-daphne_4.2.2.orig.tar.gz
0644ee1efcc7dbefc2e2687b0e1b00f7e0174ae063d870fe072cd5a5eef0b1ea 7084 python-daphne_4.2.2-0.1.debian.tar.xz
Files:
690add8849303caf6625d6c46ddc00b1 2295 python optional python-daphne_4.2.2-0.1.dsc
f444c010ad870c91b9d47783b00657e6 46310 python optional python-daphne_4.2.2.orig.tar.gz
9d22ca3ccdd301b065da1ef980a4d17b 7084 python optional python-daphne_4.2.2-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo5l+8ACgkQiNJCh6LY
mLEbBw//SFdgMrRuiocyFJVF+HkNFLB/lUvxRdCUDXfwnoFOXhpmqvGSwSiuKYNk
IETkXq7YX4NeaRsVtaHMy3JI8CEDyzhSPxtWSlwtXjtiyIXAFS43oDjeO0Q1CuHt
AFyFr69z9NLINuLcXnB0r88OBsBSoaETtKsRRrqbVyAKGavKA0if69WMqPQsFk0S
rzewNI1wHGnm0Hj76vkcSmCXk4FtD4FRuZAyIdeV1dJHlq/T+4q7js0yIHdxig7A
IbapWsa+FXGCCnhVaSKQF73hNxP2VD6cHGki4jF7HX5/U7brCrS9lcW8mfp7agOR
wXWFsQZ5F9U3lFMJmXBM0cJXR2mle4sNrru3q06C68ViteayUlZd48QpuRseDmJl
4D7w55fi1EZNb2tQscC16o5ixTc83oX9HIhqgMYFuzUBV8EPF3fcbYFhAtZNea+J
UfDaquIyt3RZ5iyfDjzlrXaxG2JADAV2kAeoTqkNnIBMCQ0r1gfZemXd/65MjoZE
ghDUE19mzt85sIeSQMhz4Pfex3UAysFajVV9aGgw43rckG2PsG37ZECunB0vlCej
hnbiyz3bftgXjKaPh+isaOiT7JX33BeYTaI5wcmHfQ4DS96xJ2kXlmAXG8eTFk5f
vQ8WXQb41GxQOA2f3+UMtiKFD1GuXUwGrDV/tMzHOq+lponKjc4=
=AM9D
-----END PGP SIGNATURE-----