diff -pruN 3.4.4-2/debian/changelog 3.4.4-2ubuntu3/debian/changelog --- 3.4.4-2/debian/changelog 2025-10-12 11:52:20.000000000 +0000 +++ 3.4.4-2ubuntu3/debian/changelog 2025-12-15 18:16:18.000000000 +0000 @@ -1,3 +1,32 @@ +python-ldap (3.4.4-2ubuntu3) resolute; urgency=medium + + * SECURITY UPDATE: Improper special character escape when supplying + non-string data types. + - debian/patches/CVE-2025-61911.patch: Raise exception when type is not str + in Lib/ldap/filter.py. + - CVE-2025-61911 + * SECURITY UPDATE: Denial of service through improperly escaped null byte. + - debian/patches/CVE-2025-61912.patch: Change NULL byte escape from \\\000 + to \\00 in Lib/ldap/dn.py. + - CVE-2025-61912 + + -- Hlib Korzhynskyy Mon, 15 Dec 2025 14:46:18 -0330 + +python-ldap (3.4.4-2ubuntu2) resolute; urgency=medium + + * d/t/apparmor.sh: fix testing apparmor profile write access (LP: #2130351) + + -- Jonas Jelten Mon, 08 Dec 2025 15:45:13 +0100 + +python-ldap (3.4.4-2ubuntu1) resolute; urgency=medium + + * d/t/{startserver,upstream}: fix slapd apparmor access to test directory + (LP: #2130351) + - d/t/apparmor.sh: ignore apparmor control failures on Ubuntu+armhf + (LP: #2008393) + + -- Jonas Jelten Tue, 11 Nov 2025 17:53:15 +0100 + python-ldap (3.4.4-2) unstable; urgency=medium * Team Upload diff -pruN 3.4.4-2/debian/control 3.4.4-2ubuntu3/debian/control --- 3.4.4-2/debian/control 2025-10-12 11:52:02.000000000 +0000 +++ 3.4.4-2ubuntu3/debian/control 2025-12-08 14:45:13.000000000 +0000 @@ -1,7 +1,8 @@ Source: python-ldap Section: python Priority: optional -Maintainer: Debian Python Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Python Team Uploaders: Willem van den Akker , Michael Fladischer , diff -pruN 3.4.4-2/debian/patches/CVE-2025-61911.patch 3.4.4-2ubuntu3/debian/patches/CVE-2025-61911.patch --- 3.4.4-2/debian/patches/CVE-2025-61911.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.4.4-2ubuntu3/debian/patches/CVE-2025-61911.patch 2025-12-15 18:16:18.000000000 +0000 @@ -0,0 +1,34 @@ +From 3957526fb1852e84b90f423d9fef34c7af25b85a Mon Sep 17 00:00:00 2001 +From: lukas-eu <62448426+lukas-eu@users.noreply.github.com> +Date: Fri, 10 Oct 2025 19:47:46 +0200 +Subject: [PATCH] Merge commit from fork + +--- + Lib/ldap/filter.py | 2 ++ + Tests/t_ldap_filter.py | 4 ++++ + 2 files changed, 6 insertions(+) + +--- python-ldap-3.4.4.orig/Lib/ldap/filter.py ++++ python-ldap-3.4.4/Lib/ldap/filter.py +@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value, + If 1 all NON-ASCII chars are escaped. + If 2 all chars are escaped. + """ ++ if not isinstance(assertion_value, str): ++ raise TypeError("assertion_value must be of type str.") + if escape_mode: + r = [] + if escape_mode==1: +--- python-ldap-3.4.4.orig/Tests/t_ldap_filter.py ++++ python-ldap-3.4.4/Tests/t_ldap_filter.py +@@ -49,6 +49,10 @@ class TestDN(unittest.TestCase): + ), + r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f' + ) ++ with self.assertRaises(TypeError): ++ escape_filter_chars(["abc@*()/xyz"], escape_mode=1) ++ with self.assertRaises(TypeError): ++ escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1) + + def test_escape_filter_chars_mode2(self): + """ diff -pruN 3.4.4-2/debian/patches/CVE-2025-61912.patch 3.4.4-2ubuntu3/debian/patches/CVE-2025-61912.patch --- 3.4.4-2/debian/patches/CVE-2025-61912.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.4.4-2ubuntu3/debian/patches/CVE-2025-61912.patch 2025-12-15 18:16:18.000000000 +0000 @@ -0,0 +1,36 @@ +Backport of: + +From 6ea80326a34ee6093219628d7690bced50c49a3f Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Fri, 10 Oct 2025 10:46:45 -0700 +Subject: [PATCH] Merge commit from fork + +Update tests to expect \00 and verify RFC-compliant escaping +--- + Lib/ldap/dn.py | 3 ++- + Tests/t_ldap_dn.py | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- python-ldap-3.4.4.orig/Lib/ldap/dn.py ++++ python-ldap-3.4.4/Lib/ldap/dn.py +@@ -26,7 +26,8 @@ def escape_dn_chars(s): + s = s.replace('>' ,'\\>') + s = s.replace(';' ,'\\;') + s = s.replace('=' ,'\\=') +- s = s.replace('\000' ,'\\\000') ++ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00" ++ s = s.replace('\x00' ,'\\00') + if s[-1]==' ': + s = ''.join((s[:-1],'\\ ')) + if s[0]=='#' or s[0]==' ': +--- python-ldap-3.4.4.orig/Tests/t_ldap_dn.py ++++ python-ldap-3.4.4/Tests/t_ldap_dn.py +@@ -49,7 +49,7 @@ class TestDN(unittest.TestCase): + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ') + self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ') + self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ') +- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,bo\\,b\\o,bo\,b\ /dev/null; then + apparmor_enabled=$(test "$(aa-enabled)" = "Yes" && echo true || echo false) +else + apparmor_enabled=false +fi + +_apparmor_check() { + # allow command to fail if running on Ubuntu-armhf (due to LP: #2008393) + "$@" && return 0 + _ret=$? + + if [ "$(dpkg-vendor --query Vendor)-$(dpkg --print-architecture)" = "Ubuntu-armhf" ]; then + echo "WARNING: failed to perform apparmor command: $*" >&2 + echo "On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error." >&2 + echo "See LP: #2008393 for details." >&2 + return 0 + fi + + echo "apparmor command failed: $*" >&2 + exit $_ret +} + +_apparmor_cleanup() { + if [ "$apparmor_enabled" = true ]; then + echo "reverting apparmor adjustments..." + sudo rm /etc/apparmor.d/local/usr.sbin.slapd + + if [ -f /etc/apparmor.d/local/usr.sbin.slapd.bak ]; then + sudo mv /etc/apparmor.d/local/usr.sbin.slapd.bak /etc/apparmor.d/local/usr.sbin.slapd + fi + + _apparmor_check sudo apparmor_parser -W -T -r /etc/apparmor.d/usr.sbin.slapd + fi +} + +apparmor_setup() { + # if apparmor is used, allow access to test directory + if [ "$apparmor_enabled" = true ]; then + _apparmor_allowdir=$1 + if [ -z "$_apparmor_allowdir" ]; then + echo "no directory to allow given to apparmor_setup" + exit 1 + fi + trap "_apparmor_cleanup" EXIT + + if [ -f /etc/apparmor.d/local/usr.sbin.slapd ]; then + sudo mv /etc/apparmor.d/local/usr.sbin.slapd /etc/apparmor.d/local/usr.sbin.slapd.bak + fi + + # this directory is like /etc/slapd + echo "allowing $_apparmor_allowdir in apparmor..." + echo "$_apparmor_allowdir/** kwr," | sudo tee -a /etc/apparmor.d/local/usr.sbin.slapd + + _apparmor_check sudo apparmor_parser -W -T -r /etc/apparmor.d/usr.sbin.slapd + fi +} diff -pruN 3.4.4-2/debian/tests/control 3.4.4-2ubuntu3/debian/tests/control --- 3.4.4-2/debian/tests/control 2025-10-12 11:50:31.000000000 +0000 +++ 3.4.4-2ubuntu3/debian/tests/control 2025-12-08 14:45:13.000000000 +0000 @@ -5,4 +5,4 @@ Depends: slapd, @, @builddeps@, -Restrictions: allow-stderr +Restrictions: allow-stderr, needs-sudo diff -pruN 3.4.4-2/debian/tests/startserver 3.4.4-2ubuntu3/debian/tests/startserver --- 3.4.4-2/debian/tests/startserver 2025-10-12 11:50:31.000000000 +0000 +++ 3.4.4-2ubuntu3/debian/tests/startserver 2025-12-08 14:45:13.000000000 +0000 @@ -2,6 +2,10 @@ set -e +. debian/tests/apparmor.sh + +apparmor_setup ${AUTOPKGTEST_TMP} + cd ${AUTOPKGTEST_TMP} for p in $(py3versions -s); do $p -c "import slapdtest; server = slapdtest.SlapdObject(); server.start(); assert server.port > 0 and server.port < 65536; server.stop()" diff -pruN 3.4.4-2/debian/tests/upstream 3.4.4-2ubuntu3/debian/tests/upstream --- 3.4.4-2/debian/tests/upstream 2025-10-12 11:50:31.000000000 +0000 +++ 3.4.4-2ubuntu3/debian/tests/upstream 2025-12-08 14:45:13.000000000 +0000 @@ -2,6 +2,10 @@ set -e +. debian/tests/apparmor.sh + +apparmor_setup ${AUTOPKGTEST_TMP} + cp -r Tests ${AUTOPKGTEST_TMP} cd ${AUTOPKGTEST_TMP} for p in $(py3versions -s); do