Your message dated Mon, 28 Jul 2025 10:07:04 +0000
with message-id <[email protected]>
and subject line Bug#1109805: fixed in starlette 0.46.1-3
has caused the Debian Bug report #1109805,
regarding starlette: CVE-2025-54121
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109805
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: starlette
Version: 0.46.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for starlette.
CVE-2025-54121[0]:
| Starlette is a lightweight ASGI (Asynchronous Server Gateway
| Interface) framework/toolkit, designed for building async web
| services in Python. In versions 0.47.1 and below, when parsing a
| multi-part form with large files (greater than the default max spool
| size) starlette will block the main thread to roll the file over to
| disk. This blocks the event thread which means the application can't
| accept new connections. The UploadFile code has a minor bug where
| instead of just checking for self._in_memory, the logic should also
| check if the additional bytes will cause a rollover. The
| vulnerability is fixed in version 0.47.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54121
https://www.cve.org/CVERecord?id=CVE-2025-54121
[1] https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
[2]
https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1
[3]
https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: starlette
Source-Version: 0.46.1-3
Done: Piotr Ożarowski <[email protected]>
We believe that the bug you reported is fixed in the latest version of
starlette, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Ożarowski <[email protected]> (supplier of updated starlette package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 28 Jul 2025 11:42:53 +0200
Source: starlette
Architecture: source
Version: 0.46.1-3
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Piotr Ożarowski <[email protected]>
Closes: 1109805
Changes:
starlette (0.46.1-3) unstable; urgency=high
.
by writing to disk using thread pool to prevent synchronous blocking when
SpooledTemporaryFile rolls over to disk. (Closes: #1109805)
Checksums-Sha1:
2f643ff49c7053c41a829362f2560edc0370c215 2460 starlette_0.46.1-3.dsc
5641289c11fe5ff534e15d160dd37e5133ecd7cf 6324 starlette_0.46.1-3.debian.tar.xz
0bad3d258c15b39c704cd78052a3892d812de2e2 8111
starlette_0.46.1-3_amd64.buildinfo
Checksums-Sha256:
484132ed8f9daf9dcaa1d6b7fc55341e218dbb8ea9a7d37395b52f171699e1a0 2460
starlette_0.46.1-3.dsc
d445f53e533aa8793640edf26751764d9ecdac5416fdaae067f122e68f6877d8 6324
starlette_0.46.1-3.debian.tar.xz
042fa956b70f824cc60e813897dbf5945ecd96ab9d8852fe927907f258418dfa 8111
starlette_0.46.1-3_amd64.buildinfo
Files:
60a67c2e5970c8bcf5c40411fa066c86 2460 python optional starlette_0.46.1-3.dsc
2d045c8889b8d093d725c50df2c336c0 6324 python optional
starlette_0.46.1-3.debian.tar.xz
7db557fdbbc5b909323e263eed0871dc 8111 python optional
starlette_0.46.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEHS+omFjar2IXhi33rvbxoqdFdkUFAmiHSMIACgkQrvbxoqdF
dkWTsxAAhbTB3WfZGEKcTHm0cbVvYi7CcWqPHwge9CKtY/6SLoyj+X0Wo5X0v3xG
pGnnEePEgDvsxsDcTZ5zF2qdv3Qr4L2oazcJ7uwk6gsTEH+aW5GxNBYqkbmh1yPc
gGfEQr7sauCo3xZPQ0AKm+aV0fYatepqecbdmzWC58TSjoyL8kkwR9qntAZDO34h
sBDJ5BgHKsoGv6YcYs8pYTIe7D6rDy5Ee0XhDh+oZEDL0VwkyHyz8LnkV5XywrsS
22/mSbhnaX92mINHc9YSYFZFdncCqANNpfGb3pZael/xlzBsb71uuZ+SgK53dPN3
pWK/8BG1hqe8gnJm0Os7epZ4l81Q4OqAWFU+8oHEVKEeIBqgbA3X/YtAYZmR1Fxy
frGQyKwHGX8pl6vxKttgHB9JuRiE0sy+F9d8uZhF1TyUhEoE/CZ4d4KFk8+4/JoP
12p+8TiqG6UpYyzRvk9UOdvw2lda9Bw1xa5zR6VCnZjYwnSj6+/jWNVs2K/pA1mB
0HQcMjosXl9G4DXPUzT1dlBzF7a/3waKQU4mBjEf7yZdtAiGN/D9t+UD/1pIqdMW
tsBoQWzHCYdY+LjHG/7dMQBwBK9934n4Gj6ICWPJEoEp8hL0qqHMcWfrvZR7DA7R
Xo6E1gnp9/+u7RPkR6+3Rh0QZQd9/Xd3hroK5rqjAcmyxZc88Rs=
=iCH8
-----END PGP SIGNATURE-----
pgpnQnawozPfj.pgp
Description: PGP signature
--- End Message ---
