Advisories » MGASA-2026-0011

Updated python-urllib3 packages fix security vulnerabilities

Publication date: 17 Jan 2026
Modification date: 17 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-66418 , CVE-2026-21441

Description

urllib3 allows an unbounded number of links in the decompression chain.
(CVE-2025-66418)
urllib3 vulnerable to decompression-bomb safeguard bypass when following
HTTP redirects (streaming API). (CVE-2026-21441)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34809
• https://www.openwall.com/lists/oss-security/2025/12/05/4
• https://ubuntu.com/security/notices/USN-7955-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66418
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21441

SRPMS

9/core

• python-urllib3-1.26.20-1.2.mga9