python-kafka (2.0.2-12) [PTS] [DDPO]

OK: VCS matches the version in the archive

Git: https://salsa.debian.org/openstack-team/python/python-kafka.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: debian/epoxy
Path: debian/changelog
Repo size: 1327104
Browser: https://salsa.debian.org/openstack-team/python/python-kafka
Last scan: 2026-06-13 20:49:36+00
Next scan: 2026-06-20 03:08:00+00

Debian changelog in Git:

python-kafka (2.0.2-12) unstable; urgency=medium

  * CVE-2026-10142 CVE-2026-10143: kafka-python contains a denial-of-service
    vulnerability in the protocol parser that allows a malicious broker or
    machine-in-the-middle attacker to exhaust memory or hang connections by
    sending a crafted 4-byte frame length value without bounds validation.
    Attackers can send a specially crafted frame length through the
    receive_bytes() function to trigger either a multi-gigabyte memory
    allocation or an uncaught ValueError that leaves the connection in a broken
    state, causing requests to hang and consumers to stop heartbeating until
    restart. Applied upstream patch: "Validate SASL/SCRAM iterations".
    (Closes: #1139878, #1139822).

 -- Thomas Goirand <zigo@debian.org>  Sat, 13 Jun 2026 16:14:41 +0200

This branch is even with tag debian/2.0.2-12