Your message dated Sat, 16 May 2026 14:34:43 +0000
with message-id <[email protected]>
and subject line Bug#1136447: fixed in node-multiparty 4.3.0-1
has caused the Debian Bug report #1136447,
regarding node-multiparty: CVE-2026-8159 CVE-2026-8161 CVE-2026-8162
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136447
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-multiparty
Version: 4.2.3-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for node-multiparty.
CVE-2026-8159[0]:
| [email protected] and lower versions are vulnerable to denial of
| service via regular expression backtracking in the Content-
| Disposition filename parameter parser. A crafted multipart upload
| with a long header value can cause regex matching to take seconds,
| blocking the event loop. Impact: any service accepting multipart
| uploads via multiparty is affected. Workarounds: limiting upload
| sizes at the proxy or gateway layer reduces but does not eliminate
| the attack surface, since a small header of around 8 KB is
| sufficient to trigger the vulnerable backtracking. Upgrade to
| [email protected] or higher.
CVE-2026-8161[1]:
| [email protected] and lower versions are vulnerable to denial of
| service via uncaught exception. By sending a multipart/form-data
| request with a field name that collides with an inherited
| Object.prototype property such as __proto__, constructor, or
| toString, the parser invokes .push() on the inherited prototype
| value rather than an array, throwing a TypeError that propagates as
| an uncaught exception and crashes the process. Impact: any service
| accepting multipart uploads via multiparty is affected. Workarounds:
| none. Upgrade to [email protected] or higher.
CVE-2026-8162[2]:
| [email protected] and lower versions are vulnerable to denial of
| service via uncaught exception. By sending a multipart/form-data
| request with a Content-Disposition header whose filename* parameter
| contains a malformed percent-encoding, the parser invokes decodeURI
| on the value without try/catch. The resulting URIError propagates as
| an uncaught exception and crashes the process. Impact: any service
| accepting multipart uploads via multiparty is affected. Workarounds:
| none. Upgrade to [email protected] or higher.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8159
https://www.cve.org/CVERecord?id=CVE-2026-8159
[1] https://security-tracker.debian.org/tracker/CVE-2026-8161
https://www.cve.org/CVERecord?id=CVE-2026-8161
[2] https://security-tracker.debian.org/tracker/CVE-2026-8162
https://www.cve.org/CVERecord?id=CVE-2026-8162
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-multiparty
Source-Version: 4.3.0-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-multiparty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-multiparty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 May 2026 16:13:16 +0200
Source: node-multiparty
Architecture: source
Version: 4.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1136447
Changes:
node-multiparty (4.3.0-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debian/watch version 5
* New upstream version
(Closes: #1136447, CVE-2026-8159, CVE-2026-8161, CVE-2026-8162)
* Drop node-mkdirp from test dependencies
* Update patches
Checksums-Sha1:
a8ff5679850e646847949c5dae2ffb123ba00d49 2357 node-multiparty_4.3.0-1.dsc
a745a6fbaaf1aea8440132410a371798cfdde3ad 802214
node-multiparty_4.3.0.orig.tar.gz
c30ee10fcbf5e66747a6bd7983729fae940057aa 4504
node-multiparty_4.3.0-1.debian.tar.xz
Checksums-Sha256:
e1446fa2b69a3efacef9acef985c0eb5077e64a07b2634c0348b9777cb301758 2357
node-multiparty_4.3.0-1.dsc
b75e1db71163fd34dee6ade910a625d31be73d7ea6778b1ffbbc93d81827dccb 802214
node-multiparty_4.3.0.orig.tar.gz
dfcc7282ec057cad32f5e8d78819390e7aaead3316af178368914c24d0dba53e 4504
node-multiparty_4.3.0-1.debian.tar.xz
Files:
72182f5b29c538d853b8ca4968e42076 2357 javascript optional
node-multiparty_4.3.0-1.dsc
2bf043914923e6bdc748f2fd5f157679 802214 javascript optional
node-multiparty_4.3.0.orig.tar.gz
588005ec445804d40232a1bb0eba025e 4504 javascript optional
node-multiparty_4.3.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmoIe8UACgkQ9tdMp8mZ
7ukmIA/5AbJeJPmj+qLP4LQ1xaFmVpuukLiQOeuIfra96h3S7JMaSOpBza3bamJQ
avVETRF0fksvCN6x+sO0Za+OyJryA+Q1XGi8isUqZ+qV5pN3ygrlOZHZyFnKFTZa
dQq2wcVen7JvtpQrqFWBtAWMHyS73lMGhqc5qLbBPAgR1ZEa+qvnaU8a4zlKUgHD
PQkxSzr/UzpjIpDBj3hpQMpkkyPXAQSBJfwf4qY36rON0PoYla4WyCcfgZLHwFXx
P5Tbi4BWEADkQqSUs2oIcin2LqGZ2cFEntgteLZUfOGOWaX5/kR/x624sRwdXdu1
DgAsDmW7M3e7gb63JW3FYzC7+5H78b82S3ZHsM9KwyczxMm5ypZGydSY77g75Vt8
5jiIOOaObK1tkso7CYJiQAHCbGvq+fpGhGsAmm5IncsYFT9ulc5syky2V8XoT+bI
BDTBDbLz3pzJ42H0+5cPySdjYN/XyPhRzZ1uNpA7UUuqQx+56wy4dxFmMtQGrZwr
2/xumxbyjVAucpMINV/eNNLDf2gLsaGPTdddOrVtMDjXZbHtHAulhPZETZTKlCtv
/aePJZSH8NrCO3e1xngZNXmORBosaVUEsuC7GV6nWSpDq9BN3lgAE7T8x+r6r0ZI
JzxtvKIgrYwRQcDNB3t3bRD8LH03MpQdEW7mdT4l7F4UCrkoICw=
=PxwW
-----END PGP SIGNATURE-----
pgpFcZ1rBXdPJ.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
