USN-7927-3

Details

USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in urllib3 when decompressing zstd data. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Illia Volochii discovered that urllib3 did not limit the steps in a decompression chain. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. (CVE-2025-66418)

Rui Xi discovered that urllib3 incorrectly handled highly compressed data. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-66471)

For the brotli encoding, the fix for CVE-2025-66471 requires an additional security update in the brotli package.

Affected Packages

python-urllib3

Ubuntu 24.04 LTS

Fixed in:

2.0.7-1ubuntu0.6

python-urllib3

Ubuntu 25.04

Fixed in:

2.3.0-2ubuntu0.5

python-urllib3

Ubuntu 25.10

Fixed in:

2.3.0-3ubuntu0.4

References

REPORThttps://bugs.launchpad.net/bugs/2136906 REPORThttps://ubuntu.com/security/CVE-2025-66471 ADVISORYhttps://ubuntu.com/security/notices/USN-7927-3

USN-7927-3

Details

Affected Packages

References

Upstream

Ecosystems

Timeline