python-multipart - Debian Package Tracker

general

source: python-multipart (main)
version: 0.0.20-1.1
maintainer: Sandro Tosi (DMD)
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.0.5-2
oldstable: 0.0.5-3
stable: 0.0.20-1
testing: 0.0.20-1
unstable: 0.0.20-1.1

versioned links

0.0.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.5-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.20-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0.20-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-python-multipart

action needed

A new upstream version is available: 0.0.22 high

A new upstream version 0.0.22 is available, you should consider packaging it.

Created: 2025-12-21 Last update: 2026-02-08 15:02

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

Created: 2026-01-27 Last update: 2026-02-07 22:30

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2026-02-06 Last update: 2026-02-06 22:03

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-03-14 Last update: 2025-03-14 15:31

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-24486: (needs triaging) Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-27 Last update: 2026-02-07 22:30

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2024-24762: (needs triaging) `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
CVE-2024-53981: (needs triaging) python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.
CVE-2026-24486: (needs triaging) Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-09 Last update: 2026-02-07 22:30

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 0.0.20-1.1 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-12-19 Last update: 2026-02-07 08:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-02-06 22:03

testing migrations

excuses:
- Migration status for python-multipart (0.0.20-1 to 0.0.20-1.1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 1 of 2 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-multipart.html
- ∙ ∙ Autopkgtest for python-multipart/0.0.20-1.1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproducible on amd64
- ∙ ∙ Reproducible on arm64
- ∙ ∙ Reproducible on armhf
- ∙ ∙ Reproducible on i386
- ∙ ∙ Reproducible on ppc64el
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- Not considered

news

[rss feed]

[2026-02-06] Accepted python-multipart 0.0.20-1.1 (source) into unstable (Salvatore Bonaccorso)
[2025-03-16] python-multipart 0.0.20-1 MIGRATED to testing (Debian testing watch)
[2025-03-14] Accepted python-multipart 0.0.20-1 (source) into unstable (Sandro Tosi)
[2024-12-21] python-multipart 0.0.17-5 MIGRATED to testing (Debian testing watch)
[2024-12-19] Accepted python-multipart 0.0.17-5 (source) into unstable (Sandro Tosi)
[2024-11-29] python-multipart 0.0.17-1 MIGRATED to testing (Debian testing watch)
[2024-11-27] Accepted python-multipart 0.0.17-4 (source) into experimental (Sandro Tosi)
[2024-11-27] Accepted python-multipart 0.0.17-3 (source) into experimental (Sandro Tosi)
[2024-11-26] Accepted python-multipart 0.0.17-2 (source all) into experimental (Debian FTP Masters) (signed by: Sandro Tosi)
[2024-11-24] Accepted python-multipart 0.0.17-1 (source) into unstable (Sandro Tosi)
[2024-03-06] python-multipart 0.0.9-1 MIGRATED to testing (Debian testing watch)
[2024-03-02] Accepted python-multipart 0.0.9-1 (source) into unstable (Sandro Tosi)
[2024-01-19] python-multipart 0.0.6-1 MIGRATED to testing (Debian testing watch)
[2024-01-13] Accepted python-multipart 0.0.6-1 (source) into unstable (Sandro Tosi)
[2022-10-28] python-multipart 0.0.5-3 MIGRATED to testing (Debian testing watch)
[2022-10-23] Accepted python-multipart 0.0.5-3 (source) into unstable (Sandro Tosi)
[2021-01-16] python-multipart 0.0.5-2 MIGRATED to testing (Debian testing watch)
[2021-01-11] Accepted python-multipart 0.0.5-2 (source) into unstable (Sandro Tosi)
[2021-01-10] Accepted python-multipart 0.0.5-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Sandro Tosi)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.0.20-1.1