Assigning to the Python Stack maintainers, CC'ing the registered maintainer.

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => python

Ubuntu has issued an advisory on January 12:
https://ubuntu.com/security/notices/USN-7955-1

Summary: python-urllib3 new security issues CVE-2025-66418 and CVE-2025-66471 => python-urllib3 new security issues CVE-2025-66418, CVE-2025-66471 and CVE-2026-21441
Status comment: Fixed upstream in 2.6.0 => Fixed upstream in 2.6.3
CVE: CVE-2025-66418, CVE-2025-66471 => CVE-2025-66418, CVE-2025-66471, CVE-2026-21441

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

urllib3 allows an unbounded number of links in the decompression chain. (CVE-2025-66418)

urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API). (CVE-2026-21441)

References:
https://www.openwall.com/lists/oss-security/2025/12/05/4
https://ubuntu.com/security/notices/USN-7955-1
========================

Updated packages in core/updates_testing:
========================
python3-urllib3+brotli-1.26.20-1.2.mga9
python3-urllib3+socks-1.26.20-1.2.mga9
python3-urllib3-1.26.20-1.2.mga9

from SRPM:
python-urllib3-1.26.20-1.2.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: python => qa-bugs

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34401 for testing.
$ yt-dlp https://www.youtube.com/watch?v=BBeXF_lnj_M&list=RDBBeXF_lnj_M&start_radio=1~
[1] 83130
[2] 83131
[2]+  Done                    list=RDBBeXF_lnj_M
[tester9@mach3 Videos]$ [youtube] Extracting URL: https://www.youtube.com/watch?v=BBeXF_lnj_M
[youtube] BBeXF_lnj_M: Downloading webpage
WARNING: [youtube] No supported JavaScript runtime could be found. YouTube extraction without a JS runtime has been deprecated, and some formats may be missing. See  https://github.com/yt-dlp/yt-dlp/wiki/EJS  for details on installing one. To silence this warning, you can use  --extractor-args "youtube:player_client=default"
[youtube] BBeXF_lnj_M: Downloading android sdkless player API JSON
[youtube] BBeXF_lnj_M: Downloading web safari player API JSON
WARNING: [youtube] BBeXF_lnj_M: Some web_safari client https formats have been skipped as they are missing a url. YouTube is forcing SABR streaming for this client. See  https://github.com/yt-dlp/yt-dlp/issues/12482  for more details
[youtube] BBeXF_lnj_M: Downloading m3u8 information
WARNING: [youtube] BBeXF_lnj_M: Some web client https formats have been skipped as they are missing a url. YouTube is forcing SABR streaming for this client. See  https://github.com/yt-dlp/yt-dlp/issues/12482  for more details
[info] BBeXF_lnj_M: Downloading 1 format(s): 399+251
[download] Sleeping 4.00 seconds as required by the site...
[download] Destination: Bach： Erbarme dich, mein Gott (Matthäuspassion) - Galou (Roth) [BBeXF_lnj_M].f399.mp4
[download] 100% of   17.97MiB in 00:00:03 at 5.85MiB/s
[download] Destination: Bach： Erbarme dich, mein Gott (Matthäuspassion) - Galou (Roth) [BBeXF_lnj_M].f251.webm
[download] 100% of    6.06MiB in 00:00:01 at 5.20MiB/s
[Merger] Merging formats into "Bach： Erbarme dich, mein Gott (Matthäuspassion) - Galou (Roth) [BBeXF_lnj_M].webm"
Deleting original file Bach： Erbarme dich, mein Gott (Matthäuspassion) - Galou (Roth) [BBeXF_lnj_M].f251.webm (pass -k to keep)
Deleting original file Bach： Erbarme dich, mein Gott (Matthäuspassion) - Galou (Roth) [BBeXF_lnj_M].f399.mp4 (pass -k to keep)

[1]+  Done                    yt-dlp https://www.youtube.com/watch?v=BBeXF_lnj_M

Resulting file plays OK in vlc
OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0011.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED