Version in base suite: 3.4.4-1 Base version: python-ldap_3.4.4-1 Target version: python-ldap_3.4.4-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-ldap/python-ldap_3.4.4-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-ldap/python-ldap_3.4.4-1+deb13u1.dsc changelog | 7 +++++++ patches/CVE-2025-61911.patch | 29 +++++++++++++++++++++++++++++ patches/CVE-2025-61912.patch | 28 ++++++++++++++++++++++++++++ patches/series | 2 ++ 4 files changed, 66 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4qmox4dn/python-ldap_3.4.4-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4qmox4dn/python-ldap_3.4.4-1+deb13u1.dsc: no acceptable signature found diff -Nru python-ldap-3.4.4/debian/changelog python-ldap-3.4.4/debian/changelog --- python-ldap-3.4.4/debian/changelog 2023-12-03 10:34:54.000000000 +0000 +++ python-ldap-3.4.4/debian/changelog 2026-04-06 21:33:25.000000000 +0000 @@ -1,3 +1,10 @@ +python-ldap (3.4.4-1+deb13u1) trixie; urgency=medium + + * CVE-2025-61911 (Closes: #1117858) + * CVE-2025-61912 (Closes: #1117859) + + -- Moritz Mühlenhoff Mon, 06 Apr 2026 23:33:25 +0200 + python-ldap (3.4.4-1) unstable; urgency=low * New upstream version 3.4.4 diff -Nru python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch --- python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-ldap-3.4.4/debian/patches/CVE-2025-61911.patch 2026-04-06 21:32:56.000000000 +0000 @@ -0,0 +1,29 @@ +From 464fddacd63092d6e01c62a38316a713c30ca98a Mon Sep 17 00:00:00 2001 +From: lukas-eu <62448426+lukas-eu@users.noreply.github.com> +Date: Fri, 10 Oct 2025 19:47:46 +0200 +Subject: [PATCH] Merge commit from fork + +--- python-ldap-3.4.4.orig/Lib/ldap/filter.py ++++ python-ldap-3.4.4/Lib/ldap/filter.py +@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value, + If 1 all NON-ASCII chars are escaped. + If 2 all chars are escaped. + """ ++ if not isinstance(assertion_value, str): ++ raise TypeError("assertion_value must be of type str.") + if escape_mode: + r = [] + if escape_mode==1: +--- python-ldap-3.4.4.orig/Tests/t_ldap_filter.py ++++ python-ldap-3.4.4/Tests/t_ldap_filter.py +@@ -49,6 +49,10 @@ class TestDN(unittest.TestCase): + ), + r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f' + ) ++ with self.assertRaises(TypeError): ++ escape_filter_chars(["abc@*()/xyz"], escape_mode=1) ++ with self.assertRaises(TypeError): ++ escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1) + + def test_escape_filter_chars_mode2(self): + """ diff -Nru python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch --- python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-ldap-3.4.4/debian/patches/CVE-2025-61912.patch 2026-04-06 21:33:22.000000000 +0000 @@ -0,0 +1,28 @@ +From 9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Fri, 10 Oct 2025 10:46:45 -0700 +Subject: [PATCH] Merge commit from fork + +--- python-ldap-3.4.4.orig/Lib/ldap/dn.py ++++ python-ldap-3.4.4/Lib/ldap/dn.py +@@ -26,7 +26,8 @@ def escape_dn_chars(s): + s = s.replace('>' ,'\\>') + s = s.replace(';' ,'\\;') + s = s.replace('=' ,'\\=') +- s = s.replace('\000' ,'\\\000') ++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00" ++ s = s.replace('\x00' ,'\\00') + if s[-1]==' ': + s = ''.join((s[:-1],'\\ ')) + if s[0]=='#' or s[0]==' ': +--- python-ldap-3.4.4.orig/Tests/t_ldap_dn.py ++++ python-ldap-3.4.4/Tests/t_ldap_dn.py +@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase): + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ') + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ') + self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ') +- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,bo\\,b\\o,bo\\,b\\