Your message dated Thu, 28 May 2026 13:03:48 +0000
with message-id <[email protected]>
and subject line Bug#1137375: fixed in starlette 0.26.1-1+deb12u1
has caused the Debian Bug report #1137375,
regarding starlette: CVE-2026-48710
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137375
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: starlette
Version: 1.0.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for starlette.
CVE-2026-48710[0]:
| starlette Ignore malformed Host header when constructing request.url
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48710
https://www.cve.org/CVERecord?id=CVE-2026-48710
[1] https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/
[2] https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr
[3]
https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6
[4] https://github.com/Kludex/starlette/pull/3279
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: starlette
Source-Version: 0.26.1-1+deb12u1
Done: Matheus Polkorny <[email protected]>
We believe that the bug you reported is fixed in the latest version of
starlette, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matheus Polkorny <[email protected]> (supplier of updated starlette package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 May 2026 13:26:42 -0300
Source: starlette
Architecture: source
Version: 0.26.1-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Matheus Polkorny <[email protected]>
Closes: 1085295 1109805 1137375
Changes:
starlette (0.26.1-1+deb12u1) bookworm-security; urgency=medium
.
* Team upload.
* d/gbp.conf: Update to Bookworm
* d/patches: (Closes: #1085295, #1109805, #1137375)
- CVE-2023-29159: Import upstream patch
(directory traversal vulnerability in StaticFiles)
- CVE-2024-47874: Import and backport upstream patch
(DoS via unlimited multipart/form-data field buffering)
- CVE-2025-54121: Import and backport upstream patch
(event loop blocking on large multipart uploads to disk)
- CVE-2026-48710: Import and backport upstream patch
(Ignore malformed Host when constructing request.url)
Checksums-Sha1:
bf87bc411bc557550ed1b80c219c99c11952b253 2456 starlette_0.26.1-1+deb12u1.dsc
9bf0bab7443336e90e9d84c28eb1ca4d31740743 2751032 starlette_0.26.1.orig.tar.xz
969c257bc9a8e49dee5e544772fad8ec8cebdfeb 8720
starlette_0.26.1-1+deb12u1.debian.tar.xz
Checksums-Sha256:
befa6676f027921596c39c5ca1ae9c4d6952480a23ac73a5d89fc25076977f12 2456
starlette_0.26.1-1+deb12u1.dsc
3fc1d12068c8178a372cb98e3c2880a435bd2766e9635f965892110c9805c45e 2751032
starlette_0.26.1.orig.tar.xz
dd8e941fe76f2d133846b766459ef7320b156418927c9b055364490a3813ddab 8720
starlette_0.26.1-1+deb12u1.debian.tar.xz
Files:
52b4552020884214fc0df1a6b509de23 2456 python optional
starlette_0.26.1-1+deb12u1.dsc
665888eef945eafe1a77f3174d946e3e 2751032 python optional
starlette_0.26.1.orig.tar.xz
fb72442e24180fcaa64a0dd519b4697f 8720 python optional
starlette_0.26.1-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmoVw1cACgkQgwFgFCUd
HbC5GA//e2ewoNzJ1/hk684tgsyyPtp/Zrk0FW+h6X/DJ2IRtmFC2MIfS1K26wla
Egzc/pRxdviUGJ73eKqroiQ+NKRe2lvIeLhUtPk/6jME0ESW1pNmD0yt0GZckdDe
9v0Pa9yUOJSRMa9fjNYTn/ZkmyONFTnHnAau7IvyLQrDukwPnscYsJ8fGnb7cxKh
UQCAq8zYAKE3GDxbxvb64EInuzy4KR1gQi8HWW7wZLcx564hu00wB6YAj0aEJZv3
1UptYcPrO4xCuXbcsQu8TkG6LStWFvuEmN09NX/y1QVJJ2upgmpZPlOVyp4wm5g6
IY7E0cXm1YVdxBODKFosQwNdqXmhfMl3LGKaoqvnDugpAIgsSU80ulXKZBz8lPv5
TznndeR0siTAyVv3W+Sir9F07bGNKu+74SyukENAvmfC5qHAFaW0ZLvFI1jSEm7Q
SiE6aDxJUzMgK0UnKZn9/FephSArEWR2t3CrjrZj4H4XImK/bbqM6TvoL3+AzRiK
0FesMYuQspcALuuSIvNJmNEzXbhGyUKezae6E+HQxp5SGq76EmD0pTsrK3ju1yV1
IRYjlHCLToryiE9crugUhedMeXHLj3sM8HWdaTvs3tGDqv40xPdbO8WgMz5F6K9s
jW2EeIjkTFP96xsr/ItmkpSrCO8QqdKhhCUwDqwm8gdToEDhhxs=
=Rpey
-----END PGP SIGNATURE-----
pgpLME1wryTWc.pgp
Description: PGP signature
--- End Message ---
