Your message dated Sun, 08 Mar 2026 19:32:05 +0000
with message-id <[email protected]>
and subject line Bug#1126557: fixed in python-multipart 0.0.20-1.1~deb13u1
has caused the Debian Bug report #1126557,
regarding python-multipart: CVE-2026-24486
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-multipart
Version: 0.0.20-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-multipart.
CVE-2026-24486[0]:
| Python-Multipart is a streaming multipart parser for Python. Prior
| to version 0.0.22, a Path Traversal vulnerability exists when using
| non-default configuration options `UPLOAD_DIR` and
| `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to
| arbitrary locations on the filesystem by crafting a malicious
| filename. Users should upgrade to version 0.0.22 to receive a patch
| or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in
| project configurations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24486
https://www.cve.org/CVERecord?id=CVE-2026-24486
[1]
https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
[2]
https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-multipart
Source-Version: 0.0.20-1.1~deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-multipart, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated python-multipart
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Mar 2026 19:08:51 +0100
Source: python-multipart
Architecture: source
Version: 0.0.20-1.1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Sandro Tosi <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1126557
Changes:
python-multipart (0.0.20-1.1~deb13u1) trixie; urgency=medium
.
* Rebuild for trixie
.
python-multipart (0.0.20-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Arbitrary file write via a non-default configuration (CVE-2026-24486)
(Closes: #1126557)
* chore: add return type on test
Checksums-Sha1:
9720e61294213f7f0efac22b903e39d91a0e70b0 2425
python-multipart_0.0.20-1.1~deb13u1.dsc
f282c3eb5936e943773310ad741277f828cf1279 4652
python-multipart_0.0.20-1.1~deb13u1.debian.tar.xz
54203135d0b71e207a7c3161bba13e96552a8d2c 7328
python-multipart_0.0.20-1.1~deb13u1_source.buildinfo
Checksums-Sha256:
7620c920ec8812f7e147c3fd9e087aee5a6015ac6a14f03076a5f39a4dbd218e 2425
python-multipart_0.0.20-1.1~deb13u1.dsc
fdee1d631866c7ca9b4ac981cb6a816d692d263581b38d5f2d3c2fc94030c054 4652
python-multipart_0.0.20-1.1~deb13u1.debian.tar.xz
f79f63cca74f02156a7c3f90594a30c7ce3d2076fd538900e53a8a8a908ea2d6 7328
python-multipart_0.0.20-1.1~deb13u1_source.buildinfo
Files:
5d2d88224b8606996eedc993a4ea7052 2425 python optional
python-multipart_0.0.20-1.1~deb13u1.dsc
799068f550fc99dd2b359d4ecbeaed61 4652 python optional
python-multipart_0.0.20-1.1~deb13u1.debian.tar.xz
8fc6d14ce2d5d77958755c26735e8647 7328 python optional
python-multipart_0.0.20-1.1~deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmmtv75fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Em2gP/iAKVhaRspEF2TU5xwFVH1ufV6/9iU/h
Q/2ZDJT8HQQb6dmoruXCyXr8iaiHlgKeNI44T+pjV+vxvETf5DCoHq/yP7UZTkva
y1oDNJb4vz0I7uRrsYHOBqDo6yuWVAZPu5IRGrEXg2poYF9s4EHRReZt6D8cJx9y
MppOA1ElF2Fry7D4Y2FcPzvCPeDr3fTIpREeXlcGWLgjq8ePv18WtTW8NK9Xq85O
JlrlqhSoajhdjLwxAzxy04l0BD7DMaxCk8JvRKzb23eokPqXzVodYO03bhP50Mrm
VmGM/Nwtp5zrLm6RNw8XWrjPt+OVflVABMQVJpEQY1Mo+y0hvZ6QLbe6bIfjB5jg
x0kphP2TWirx+bskDnenVQZLSKipwaBOAs81yT1TOw5kvldJkhJSSzS+CPA5RnT+
yNy+ZBz9QjpsELw/Q2VHx/8kHbFiMXImSwnRAm5hsLGmUynhM/GJUzQ3kUiiyE8h
gP7f/bG8pVp3bTjW+j1ztD9aDvJtpzq0FWNTqiQQex7qb7A9zHxOaWb95eRGlPN4
58QgOVUUEu6CrR61oPGNPJEX/7IDsY7YtJYODDumU+wnA9XqCD/XnJjp3CAtLuDG
T11g+iPHmIZQZfDn/0uhLMfp6OEeCAgZBpk5X+e2CgtQlFs7GEl9iMfM1xa3kjrE
/7DZB7XqCJ+i
=sJeq
-----END PGP SIGNATURE-----
pgpkZvU7CcNj8.pgp
Description: PGP signature
--- End Message ---
