Your message dated Fri, 18 Oct 2024 08:38:29 +0000
with message-id <e1t1ivb-005new...@fasolo.debian.org>
and subject line Bug#1085295: fixed in starlette 0.41.0-1
has caused the Debian Bug report #1085295,
regarding starlette: CVE-2024-47874
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1085295: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085295
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: starlette
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for starlette.
CVE-2024-47874[0]:
| Starlette is an Asynchronous Server Gateway Interface (ASGI)
| framework/toolkit. Prior to version 0.40.0, Starlette treats
| `multipart/form-data` parts without a `filename` as text form fields
| and buffers those in byte strings with no size limit. This allows an
| attacker to upload arbitrary large form fields and cause Starlette
| to both slow down significantly due to excessive memory allocations
| and copy operations, and also consume more and more memory until the
| server starts swapping and grinds to a halt, or the OS terminates
| the server process with an OOM error. Uploading multiple such
| requests in parallel may be enough to render a service practically
| unusable, even if reasonable request size limits are enforced by a
| reverse proxy in front of Starlette. This Denial of service (DoS)
| vulnerability affects all applications built with Starlette (or
| FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733
(0.40.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47874
https://www.cve.org/CVERecord?id=CVE-2024-47874
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: starlette
Source-Version: 0.41.0-1
Done: Piotr Ożarowski <pi...@debian.org>
We believe that the bug you reported is fixed in the latest version of
starlette, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1085...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Ożarowski <pi...@debian.org> (supplier of updated starlette package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 18 Oct 2024 09:00:46 +0200
Source: starlette
Architecture: source
Version: 0.41.0-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <pi...@debian.org>
Changed-By: Piotr Ożarowski <pi...@debian.org>
Closes: 1085295
Changes:
starlette (0.41.0-1) unstable; urgency=high
.
* New upstream release
- fixes CVE-2024-47874 (closes: 1085295)
Checksums-Sha1:
cdc88197cf77a0b3c242919531f91bf6a224c858 2424 starlette_0.41.0-1.dsc
19568e2c184bed41fb5d3909b89c2fa4e386f89f 2573755 starlette_0.41.0.orig.tar.gz
61ea82b178ec3d1a3b2b7276690d5e4a855c991e 3656 starlette_0.41.0-1.debian.tar.xz
fc0efd7f4a8c7fd35546ae49211a5ebe77db4844 8370
starlette_0.41.0-1_amd64.buildinfo
Checksums-Sha256:
d5f478fe4e169c1b4ce695c6b687a998209a9c9a6185daea841724d39e4c0782 2424
starlette_0.41.0-1.dsc
39cbd8768b107d68bfe1ff1672b38a2c38b49777de46d2a592841d58e3bf7c2a 2573755
starlette_0.41.0.orig.tar.gz
612112d9a042ff0fc271dd84df42d7b86f2a292130c86c920716a2927dc187ac 3656
starlette_0.41.0-1.debian.tar.xz
9f20f17958b23f5b6f0877d4f3acf098fe5619a6c220a81d6506eabcd956f3d0 8370
starlette_0.41.0-1_amd64.buildinfo
Files:
7ce4ca692d1dfe1c348978f91f710cb4 2424 python optional starlette_0.41.0-1.dsc
c7bea1bc676a8e9adce0214bf632f67b 2573755 python optional
starlette_0.41.0.orig.tar.gz
e61891520ffd7e550329279c23a08740 3656 python optional
starlette_0.41.0-1.debian.tar.xz
c80d48ee397983ba14c82eb60e19390e 8370 python optional
starlette_0.41.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEHS+omFjar2IXhi33rvbxoqdFdkUFAmcSEO0ACgkQrvbxoqdF
dkVTxRAAr8k/X/9KC3QzzzeKAlb4IKBBAqdtFxafueSSH6puafLoGq2NUlPRD+Be
ETnjiBqBtVlRtvYR3KK9gAEmh9fuEM4cy2QvipSiKHUCzlNUzJi37Zj2lY4L4r/7
AC+O4VIq/rBzYUPQkuPyc5LrURHHlj/dPaeno+Hqtny28ji0vhiY1ieSsI6+m6Ef
LmOocVEJX8Z7s+AEtGhMDHxBaw1y7UaVpLgC/ZdtlJyEU+1ptvfM7CLOXqdde36I
gSHptjnYwtGfqutMtNcowXUH8I3mHIZRlIwbcmZ6SwI15NGDbWWrioRghokhqEcJ
m4/76bewpy89x0qAbAnViGs263nCrlRDR0Z84fdzv9pX1ffqXLj2ur3S9uFbEE72
OVeJfvqaPM8etkLyR7sbQZS3TtdtEQJyhuhqHc80pwUtHotPtmGfT7gEqjnN9yWi
ON6/o4v3v0fjf24cLVNxneq5VYt9Wx+/fILwH0Edk/7uqidAHcsCQjSWnnzg32d9
qw9XHEfm16wQ7sMrPHCc4LZz4iCawTvxi17aq3yA2HbM2AeR1r5C+30ivvqXQdzZ
Fd/VZAqx5wUsYZLP37clpdk+N5ICIwqMB3Fns+CoYY8X5+PsL5YIatN0CMZJqnLp
/ddVt/R6M3Y2CYQzu7i/FOS32tBTpCulGp9zyZvmScnwlljwpkA=
=Ikw8
-----END PGP SIGNATURE-----
pgpnDV05g8lgr.pgp
Description: PGP signature
--- End Message ---
