Your message dated Fri, 06 Feb 2026 17:12:02 +0000
with message-id <[email protected]>
and subject line Bug#1126557: fixed in python-multipart 0.0.20-1.1
has caused the Debian Bug report #1126557,
regarding python-multipart: CVE-2026-24486
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-multipart
Version: 0.0.20-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-multipart.
CVE-2026-24486[0]:
| Python-Multipart is a streaming multipart parser for Python. Prior
| to version 0.0.22, a Path Traversal vulnerability exists when using
| non-default configuration options `UPLOAD_DIR` and
| `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to
| arbitrary locations on the filesystem by crafting a malicious
| filename. Users should upgrade to version 0.0.22 to receive a patch
| or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in
| project configurations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24486
https://www.cve.org/CVERecord?id=CVE-2026-24486
[1]
https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
[2]
https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-multipart
Source-Version: 0.0.20-1.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-multipart, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated python-multipart
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Feb 2026 16:22:52 +0100
Source: python-multipart
Architecture: source
Version: 0.0.20-1.1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1126557
Changes:
python-multipart (0.0.20-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Arbitrary file write via a non-default configuration (CVE-2026-24486)
(Closes: #1126557)
* chore: add return type on test
Checksums-Sha1:
00cb4bb3997b29b9616ff707ede88599ea2c60d3 2393 python-multipart_0.0.20-1.1.dsc
3adb47f18b6af5f0dbf6dbaf3f024f3f708ce874 4632
python-multipart_0.0.20-1.1.debian.tar.xz
29f3e6e0cca5d900e19263a2ac2db1fc0b8763f5 7344
python-multipart_0.0.20-1.1_source.buildinfo
Checksums-Sha256:
4686bcfcedb2bd84fcff717e6dde70e399bd4bbf8bb3caa39b0a8a162d762239 2393
python-multipart_0.0.20-1.1.dsc
e764fb4b51824dcedb80c0b48af545239900bcb8b6efe2b74f586be510aa5ab4 4632
python-multipart_0.0.20-1.1.debian.tar.xz
0208174504256445a666a60c65741a876f564c303a020761abc16310098d2cbe 7344
python-multipart_0.0.20-1.1_source.buildinfo
Files:
f86a364cf9935876d2c96a51c4489cce 2393 python optional
python-multipart_0.0.20-1.1.dsc
108d1f4eb49be33403c3d1dbcdf716ef 4632 python optional
python-multipart_0.0.20-1.1.debian.tar.xz
57abab83e6021e3f6017b6d347b05d6f 7344 python optional
python-multipart_0.0.20-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAml/eVNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EhX4QAIO1gxN5BG4exyyaajoxSImiKE+u8vFK
Z94rYd57/aAuR9z5UslSoAE1g9Scb9MXr9HZ8h+uXURIjvf7eTvk04h6PsEaB0Ug
HF+EVCrWBfIL+VQoEEzi1GFDens9z5XnAwQTOuXcECNZ8sMrScXbGu22WbB/Tbog
RVOsq2twyCIAfgZP8gzommCcno88TyaZQphbSVUh38FfdaQaEkEJXDSQzLpyw07c
AMlNnQH1vvUv2UM/MMauEj0t8smRCTnbnVdvE81qYPjm5gvY4cCGolgPSqaPtl3G
p+hRlgJZaCvgqb/KMiqW8wAkzcjsafTRWeN5FYGigOBiePEDIr/qdsiXFsXDyJ+8
BrLO2w3Jf7jwVX+vU88iWDpaK1mOWz32rHDAtzwLaHVGPYPpyVW+0ILNwq3TSiE3
1EEQ9ouBApNF1Nql/dkH3T764dLvtBzWraR521gOCKbZPthR1f4ABR36njeH5EA0
IfbtZEZEZd9PSHCVb+q0nkxcDyDTlrBiQWXF2XEpnUoJBFrZ9vewn/xmdbM7h7Yc
uQ/AVaNNOwrS/uILAjbjveTFbCh5oaIEfamyY69mAgpxYa2R6R8BI33Nl9+1T4D2
U4GxNkjMUVjkIxjB/4V8mVtBCDASeVrRXcVYlmU6pgMLNHL3T+cMphIANa1Nk73L
gVHh/JBas8hH
=aPn9
-----END PGP SIGNATURE-----
pgpHdo5geRI9B.pgp
Description: PGP signature
--- End Message ---
