Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted python-kafka 2.0.2-12 (source) into unstable
Date: Sat, 13 Jun 2026 15:04:25 +0000
Signed by: Thomas Goirand <zigo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Jun 2026 16:14:41 +0200
Source: python-kafka
Architecture: source
Version: 2.0.2-12
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1139822 1139878
Changes:
 python-kafka (2.0.2-12) unstable; urgency=medium
 .
   * CVE-2026-10142 CVE-2026-10143: kafka-python contains a denial-of-service
     vulnerability in the protocol parser that allows a malicious broker or
     machine-in-the-middle attacker to exhaust memory or hang connections by
     sending a crafted 4-byte frame length value without bounds validation.
     Attackers can send a specially crafted frame length through the
     receive_bytes() function to trigger either a multi-gigabyte memory
     allocation or an uncaught ValueError that leaves the connection in a broken
     state, causing requests to hang and consumers to stop heartbeating until
     restart. Applied upstream patch: "Validate SASL/SCRAM iterations".
     (Closes: #1139878, #1139822).
Checksums-Sha1:
 5b9349ba28d2494a8822b22d85330ddb8d0d1803 2299 python-kafka_2.0.2-12.dsc
 e1086f767263824c1991ac678fbe5193c14422a6 11276 python-kafka_2.0.2-12.debian.tar.xz
 00539bdd4a7e0dfcd2e1c88b17542f1db725f74e 8877 python-kafka_2.0.2-12_amd64.buildinfo
Checksums-Sha256:
 fd521e7f29eb9d32f65aaf802202ac90baec07dcf24d8a83df39c09d9e3c81b2 2299 python-kafka_2.0.2-12.dsc
 772800ce1dbb107e368c2d580e78f4c7f04e38c25dccdcea7a62ff663ea45ec6 11276 python-kafka_2.0.2-12.debian.tar.xz
 efbe00c389f78ca6f10aa7444a3e7ec5d4e8644a7c3cb0107ba6417b5a7983d3 8877 python-kafka_2.0.2-12_amd64.buildinfo
Files:
 b6c99144d03f0d07f6f5418a54993b31 2299 python optional python-kafka_2.0.2-12.dsc
 9db2c7a891cc2569002dbd013c284609 11276 python optional python-kafka_2.0.2-12.debian.tar.xz
 8b65c351b853a9187ab6e6b39a52d160 8877 python optional python-kafka_2.0.2-12_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmotaK4ACgkQ1BatFaxr
Q/6eQA/+KUNvf6VVyPCBId0HwKjmrVYUbtg5d0ZUVWIm9fPO8UxcViDzwCXY4LDl
56Bb6jraWmE19fSza/DqBAsRQuXbdPl+ULxzhBiu5eQqZza+0jBT/HAnVPSL9yzf
pA9r+oEiZXCxP5sw7uCSDpiDwdfpfgI1iVAUD7vBF40JYEA00lPb9HbUoTpg8bdY
zoAdyWvCFRRpOxydxiA2QnBkQ59Fa/pocQgzOnWAmXtMQp+1NWQB2oJcnLOovIY/
Su8roojWqOxm3FBadQu5Oq9Ijj1x+/foSfAUyCsF2eWnMFoxmOg9pPtexFTn87HJ
F6M7NLnQkTcOl5f1OQyjsH/mt6i/qArcFRTzc/FNKPAZZ9cEfHzvOHYRxkOtQUPT
NTd2tltpY8iG7XluKZhy9Z9znNjqMevPYklY4Xodt/QdjU9P0ivfbZe2Y2rMwrrG
QKDgLS2IO9vT1/0YGglkar/zAc3iM4UItyf40MHKL02A7fuJne3l318XiR7qwXz3
mykjzH+VmaiJvbDq2yF7MX/b9aJVGoJN6hbq4oY+Hh4qxWZZ+RfcgQTTAt9Guqcp
K/mmkkSwt/VUqvYy8DS33aC/ra1HxOVa/GT0klU0Z2ygrRd0ZJ687hVF/18ukSGc
YA5y4eIP8D2tVEWK/sH2O1st1TwTW30latWXE3qWXWfjzUkaBE8=
=QUyg
-----END PGP SIGNATURE-----
News for package python-kafka
