black - Debian Package Tracker

general

source: black (main)
version: 26.3.1-1
maintainer: Debian Python Team (DMD)
uploaders: Chris Lamb [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 20.8b1-4
oldstable: 23.1.0-1
stable: 25.1.0-3
testing: 26.3.1-1
unstable: 26.3.1-1

versioned links

20.8b1-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
23.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
25.1.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
26.3.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

black
python-black-doc

action needed

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2026-32274: Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

1 issue postponed or untriaged:

CVE-2024-21503: (needs triaging) Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Created: 2026-03-13 Last update: 2026-04-01 05:00

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-03-18 Last update: 2026-04-02 03:02

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-32274: (needs triaging) Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-03-13 Last update: 2026-04-01 05:00

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-32274: (needs triaging) Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

You can find information about how to handle this issue in the security team's documentation.

1 ignored issue:

CVE-2024-21503: Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Created: 2024-03-19 Last update: 2026-04-01 05:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-04-01] black 26.3.1-1 MIGRATED to testing (Debian testing watch)
[2026-03-28] black 26.1.0-1 MIGRATED to testing (Debian testing watch)
[2026-03-27] Accepted black 26.3.1-1 (source) into unstable (Michael R. Crusoe)
[2026-03-07] Accepted black 26.1.0-1 (source) into unstable (Michael R. Crusoe)
[2026-02-27] black 25.12.0-2 MIGRATED to testing (Debian testing watch)
[2026-02-24] Accepted black 25.12.0-2 (source) into unstable (Michael R. Crusoe)
[2025-12-12] black 25.12.0-1 MIGRATED to testing (Debian testing watch)
[2025-12-08] Accepted black 25.12.0-1 (source) into unstable (Michael R. Crusoe)
[2025-11-14] black 25.11.0-1 MIGRATED to testing (Debian testing watch)
[2025-11-10] Accepted black 25.11.0-1 (source) into unstable (Colin Watson)
[2025-11-01] black 25.9.0-1 MIGRATED to testing (Debian testing watch)
[2025-10-30] Accepted black 25.9.0-1 (source) into unstable (Colin Watson)
[2025-06-04] black 25.1.0-3 MIGRATED to testing (Debian testing watch)
[2025-05-27] Accepted black 25.1.0-3 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-03-02] black 25.1.0-2 MIGRATED to testing (Debian testing watch)
[2025-02-27] Accepted black 25.1.0-2 (source) into unstable (Michael R. Crusoe)
[2025-02-07] black 25.1.0-1 MIGRATED to testing (Debian testing watch)
[2025-02-05] Accepted black 25.1.0-1 (source) into unstable (Michael R. Crusoe)
[2025-01-29] Accepted black 25.1.0-0exp (source) into experimental (Michael R. Crusoe)
[2025-01-16] black 24.10.0-3 MIGRATED to testing (Debian testing watch)
[2025-01-13] Accepted black 24.10.0-3 (source) into unstable (Alexandre Detiste)
[2025-01-01] black 24.10.0-2 MIGRATED to testing (Debian testing watch)
[2024-12-30] Accepted black 24.10.0-2 (source) into unstable (Colin Watson)
[2024-10-16] black 24.10.0-1 MIGRATED to testing (Debian testing watch)
[2024-10-13] Accepted black 24.10.0-1 (source) into unstable (Sylvestre Ledru)
[2024-08-07] black 24.8.0-1 MIGRATED to testing (Debian testing watch)
[2024-08-07] black 24.8.0-1 MIGRATED to testing (Debian testing watch)
[2024-08-04] Accepted black 24.8.0-1 (source) into unstable (Michael R. Crusoe)
[2024-05-12] black 24.4.2-2 MIGRATED to testing (Debian testing watch)
[2024-05-09] Accepted black 24.4.2-2 (source) into unstable (Michael R. Crusoe)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 26.3.1-1
3 bugs