Debian Package Tracker
Register | Log in
Subscribe

python-multipart

streaming multipart parser for Python

Choose email to subscribe with

general
  • source: python-multipart (main)
  • version: 0.0.20-1
  • maintainer: Sandro Tosi (DMD)
  • arch: all
  • std-ver: 4.7.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • oldstable: 0.0.5-2
  • stable: 0.0.5-3
  • testing: 0.0.20-1
  • unstable: 0.0.20-1
versioned links
  • 0.0.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.0.5-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.0.20-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • python3-python-multipart
action needed
lintian reports 1 warning normal
Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.
Created: 2025-03-14 Last update: 2025-03-14 15:31
2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:
  • CVE-2024-24762: (needs triaging) `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.
  • CVE-2024-53981: (needs triaging) python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-09 Last update: 2025-04-22 17:00
debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 0.0.20-1 of the package, we noticed the following issues:

  • 1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2024-12-19 Last update: 2025-03-14 12:25
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).
Created: 2025-02-21 Last update: 2025-03-14 12:26
news
[rss feed]
  • [2025-03-16] python-multipart 0.0.20-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-14] Accepted python-multipart 0.0.20-1 (source) into unstable (Sandro Tosi)
  • [2024-12-21] python-multipart 0.0.17-5 MIGRATED to testing (Debian testing watch)
  • [2024-12-19] Accepted python-multipart 0.0.17-5 (source) into unstable (Sandro Tosi)
  • [2024-11-29] python-multipart 0.0.17-1 MIGRATED to testing (Debian testing watch)
  • [2024-11-27] Accepted python-multipart 0.0.17-4 (source) into experimental (Sandro Tosi)
  • [2024-11-27] Accepted python-multipart 0.0.17-3 (source) into experimental (Sandro Tosi)
  • [2024-11-26] Accepted python-multipart 0.0.17-2 (source all) into experimental (Debian FTP Masters) (signed by: Sandro Tosi)
  • [2024-11-24] Accepted python-multipart 0.0.17-1 (source) into unstable (Sandro Tosi)
  • [2024-03-06] python-multipart 0.0.9-1 MIGRATED to testing (Debian testing watch)
  • [2024-03-02] Accepted python-multipart 0.0.9-1 (source) into unstable (Sandro Tosi)
  • [2024-01-19] python-multipart 0.0.6-1 MIGRATED to testing (Debian testing watch)
  • [2024-01-13] Accepted python-multipart 0.0.6-1 (source) into unstable (Sandro Tosi)
  • [2022-10-28] python-multipart 0.0.5-3 MIGRATED to testing (Debian testing watch)
  • [2022-10-23] Accepted python-multipart 0.0.5-3 (source) into unstable (Sandro Tosi)
  • [2021-01-16] python-multipart 0.0.5-2 MIGRATED to testing (Debian testing watch)
  • [2021-01-11] Accepted python-multipart 0.0.5-2 (source) into unstable (Sandro Tosi)
  • [2021-01-10] Accepted python-multipart 0.0.5-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Sandro Tosi)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian (0, 1)
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.0.20-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing