Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Fedora 43: Brotli 1.2.0 Update - Addressing DoS Risks and Security Issues

fedora
Calendar Grey December 12, 2025
Dist Fedora Esm H88
Update brotli and python-urllib3 in Fedora 43 to address decompression issues leading to high resource use.
Update brotli to 1.2.0 and python-urllib3 to 2.6.1

Summary

Brotli is a generic-purpose lossless compression algorithm that compresses data

using a combination of a modern variant of the LZ77 algorithm, Huffman coding

and 2nd order context modeling, with a compression ratio comparable to the best

currently available general-purpose compression methods. It is similar in speed

with deflate but offers more dense compression.

Update Information:

Update brotli to 1.2.0 and python-urllib3 to 2.6.1. In python-urllib3: Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 / `GHSA-2xpw-w6gg-jr37) Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 / `GHSA-gm62-xv2j-4w53)

Topics%20covered

Topics Covered

security advisory denial of service fedora resource consumption brotli streaming api

Change Log

* Mon Dec 8 2025 Benjamin A. Beasley - 1.2.0-1 - Update to 1.2.0 (close RHBZ#2401888) - Stop trying to support EPEL7, which is end-of-life - Port to pyproject-rpm-macros (close RHBZ#2377212) - Test the Python extension

References


[ 1 ] Bug #2419408 - python-urllib3-2.6.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2419408 [ 2 ] Bug #2419493 - CVE-2025-6176 brotli: Brotli decompression bomb DoS in scrapy/scrapy [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2419493

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-d93200cf16' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: brotli
Product: Fedora 43
Version: 1.2.0
Release: 1.fc43
URL: https://github.com/google/brotli
Summary: Lossless compression algorithm

Topics%20covered

Topics Covered

security advisory denial of service fedora resource consumption brotli streaming api

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here