- Package:
- src:python-idna
- Source:
- src:python-idna
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-25 09:21:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for python-idna. CVE-2026-45409[0]: | Internationalized Domain Names in Applications (IDNA) for Python | provides support for Internationalized Domain Names in Applications | (IDNA) and Unicode IDNA Compatibility Processing. In versions prior | to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + | "\u6f22"` utilize the `valid_contexto` function prior to length | rejection, and for high values of `N` will take a long time to | process. This is the same issue as CVE-2024-3651, however the | original remediation in 2024 was not a complete fix. A specially | crafted argument to the `idna.encode()` function could consume | significant resources. This may lead to a denial-of-service. | Starting in version 3.14, the function rejects long inputs as soon | as practicable prior to any further processing to minimize resource | consumption. In version 3.15, this approach was extended to lesser | used alternate functions (i.e. per-label conversions and codec | support). A workaround is available. Domain names cannot exceed 253 | characters in length. If this length limit is enforced prior to | passing the domain to the `idna.encode()` function, it should no | longer consume significant resources. This is triggered by | arbitrarily large inputs that would not occur in normal usage, but | may be passed to the library assuming there is no preliminary input | validation by the higher-level application. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45409 https://www.cve.org/CVERecord?id=CVE-2026-45409 [1] https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx [2] https://github.com/kjd/idna/commit/628fef84d3eda59321c21127e73dcd873db23ead [3] https://github.com/kjd/idna/commit/e1cb465b6376f33306a26f467d197edbcd01c4b9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Dear maintainer, I've prepared an NMU for python-idna (versioned as 3.11-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
We believe that the bug you reported is fixed in the latest version of python-idna, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1139164@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated python-idna package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 23 Jun 2026 17:01:51 +0300 Source: python-idna Architecture: source Version: 3.11-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1139164 Changes: python-idna (3.11-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2026-45409: DoS from specially crafted inputs (Closes: #1139164) Checksums-Sha1: 723302442994ff8676719bae5196c168224992c3 2097 python-idna_3.11-1.1.dsc cf3722da461dc4bc8da5accca32304b8e35bce02 7572 python-idna_3.11-1.1.debian.tar.xz Checksums-Sha256: 8a5fd52eddff7946d75557f7d1c2c87274196185dd6b163a8572cb275f066947 2097 python-idna_3.11-1.1.dsc 443da84b88ad892f74f18a3090295d34f6b3e91edfe55d94dccd0e0aa06d5240 7572 python-idna_3.11-1.1.debian.tar.xz Files: 5318080156a5f34e89017e4e0ccbaa3f 2097 python optional python-idna_3.11-1.1.dsc 141dca738cd6565b7b1d8e8555aae815 7572 python optional python-idna_3.11-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo6k9EACgkQiNJCh6LY mLEdGRAAlfjw2C+UsyLGq4SCPknEr1KOdCtT6nMe7/YF+t+EwZEHz8DqAQGQMUFF DXRSEUkGySXDgaN64ThCCaytbhQ0P3IdsP+p2dvQLaFf4muTO1fhUrS4R5JFSvpN ikY1sRz92949tCW0B4hgc27SO7DrU/d0At6shGms8j89IIcDV1kOf88w5jHvFiZ7 CfGZidpnVnsuY1A+vUxALaCR7r0I+eSNbkMV7bK7yThdr2Y/AUCIK30Jfxxv6k1t X6zFeMHkLyDsRhUUoLrxe8P9LMBt5ax2iLZ6nkLONP8N5EE6VRn+a70D5AgiaFu9 iQ2kDx/JK1iPP3DZFi+8BiQnn68fB7zMfQprtH0S3z8yA9DSeaPk/h6vXeIYY2Of Et+6KHRIyGvaY88ttsiBroaJOxwGWGRTQCopH+Tm6WAUARfnSgODtVNv7flal9xk sa43LFFPtPbqE7oj95M4SNFZRn6nF9aHrssUQ8BipqHR6ZtAKNwZWm18i7NFq6qB 28lVU+JD1oddVA7owSTLH6ksS4kApgJ4l9i0xPbpNddYAZNCAakUx3JCTqiWB3DC IuA8dC9qzgzQZ5be+EWWUcfxEGjUanym1CmQfJuwxifesolPF62n1z2/JHIvjBj8 A/4xEMUnFPtCnlqKrKfvfGt9pGSiuog+iiWK4HvPSteU7HYpU6I= =7FFG -----END PGP SIGNATURE-----