35258 – python-ujson new security issues CVE-2026-3287[45]

Bug 35258 - python-ujson new security issues CVE-2026-3287[45]

Summary: python-ujson new security issues CVE-2026-3287[45]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-03-23 15:05 CET by Nicolas Salguero
Modified:	2026-03-29 01:55 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	python-ujson-5.7.0-1.mga9.src.rpm
CVE:	CVE-2026-32874, CVE-2026-32875
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-23 15:05:06 CET

Fedora has issued an advisory on March 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FAXR2DP4Q5GMDURV7CAFQ5YGYAOMVNL/

Comment 1 Nicolas Salguero 2026-03-23 15:06:24 CET

CVE-2026-32874 fixed by: https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2
CVE-2026-32875 fixed by: https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => python-ujson-5.10.0-2.mga10.src.rpm, python-ujson-5.7.0-1.mga9.src.rpm
CVE: (none) => CVE-2026-32874, CVE-2026-32875
Status comment: (none) => Fixed upstream in 5.12.0

Nicolas Salguero 2026-03-23 15:06:37 CET

Status comment: Fixed upstream in 5.12.0 => Fixed upstream in 5.12.0 and patches available from upstream

Comment 2 Lewis Smith 2026-03-25 10:02:03 CET

Thanks for the patch refs.

Assignee: bugsquad => python

Comment 3 papoteur 2026-03-25 13:22:33 CET

The 2 patches are applied :

SRPMS:
python-ujson-5.7.0-1.1.mga9

RPMS:
python3-ujson-5.7.0-1.1.mga9

Status comment: Fixed upstream in 5.12.0 and patches available from upstream => (none)
CC: (none) => yves.brungard
Assignee: python => qa-bugs
Whiteboard: MGA9TOO => (none)
Source RPM: python-ujson-5.10.0-2.mga10.src.rpm, python-ujson-5.7.0-1.mga9.src.rpm => python-ujson-5.7.0-1.mga9.src.rpm
Version: Cauldron => 9

Comment 4 papoteur 2026-03-25 13:23:05 CET

Cauldron fixed with 5.12.0

Comment 5 Herman Viaene 2026-03-26 17:37:39 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 31332 for test:
$ python3 testujson.py
a type: <class 'dict'>
b variable: <class 'str'>
{"name":"Horseman","age":"21","city":"Mumbai"}
{
    "name": "Horseman",
    "age": "21",
    "city": "Mumbai"
}
c variable: <class 'dict'>
{'name': 'Horseman', 'age': '21', 'city': 'Mumbai'}
Looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 6 Thomas Andrews 2026-03-27 22:07:29 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2026-03-28 19:11:19 CET

Keywords: (none) => advisory

Comment 7 Mageia Robot 2026-03-29 01:55:57 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0073.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.