Hello Matheus, Am Fri, Jan 30, 2026 at 01:54:17AM -0300 schrieb Matheus Polkorny: .. > To access further information about this package, please visit the following > URL: > > https://mentors.debian.net/package/starlette/ > > Alternatively, you can download the package with 'dget' using this command: > > dget -x > https://mentors.debian.net/debian/pool/main/s/starlette/starlette_0.46.1-3+deb13u1.dsc > > Changes since the last upload: > > starlette (0.46.1-3+deb13u1) trixie; urgency=medium > . > * Team upload. > * d/p/CVE-2025-62727.patch: Import Upstream patch to fix CVE-2025-62727 > - An unauthenticated attacker can send a crafted HTTP Range header > that triggers quadratic-time processing in Starlette's FileResponse > Range parsing/merging logic. This enables CPU exhaustion per request, > causing denial‑of‑service for endpoints serving files > * d/changelog: Fix 0.46.1-3 changelog entry
I'm willing to have a look and sponsor your work. As the source package is team maintained and the packaging is happen within a git tree could you please fork the team packaging tree from https://salsa.debian.org/python-team/packages/starlette and create a new branch 'debian/trixie' starting on top of the tag 'debian/0.46.1-3'? Place your modifications afterwards onto this. If you do so please mind to ialso adjust debian/gbp.conf to the new branch name. Preparing an upload based on a git tree makes working and üreparing the stuff much more easy. You could then also just cherry-pick the adjustment of the debian/changelog file from Piotr. git cherry-pick -x a6c184cb0f39188a33354dc4db97e9b7fbe0107f Please also document where you have taken the patch from. My guess is this is commit https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5 But people should not need to spend time to find this out by searching but rather see by comparing your modifications are the same and based on some referenced source. There is https://dep-team.pages.debian.net/deps/dep3/ about some additional header data to make it more clear and obvious what the patch is about and there it is come from. Have a look at the end of the document so see some examples. Another suggestion: Please make the entry in debian/changelog about the fix more easy to read. The first I'd look for is to easy catch the CVE number(s) which got fixed in the uploaded version. I'm just interested in how this was done by a second view. Less text is more here. Get some inspiration what I mean here e.g.: https://tracker.debian.org/news/1592590/accepted-python-werkzeug-222-3deb12u1-source-into-proposed-updates/ Regrads Carsten
