All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/python-starlette: security bump to v0.47.2
@ 2025-07-22 11:10 Titouan Christophe via buildroot
  2025-07-22 12:31 ` Marcus Hoffmann via buildroot
  2025-07-22 17:13 ` Julien Olivain via buildroot
  0 siblings, 2 replies; 3+ messages in thread
From: Titouan Christophe via buildroot @ 2025-07-22 11:10 UTC (permalink / raw)
  To: buildroot; +Cc: James Hilliard, Marcus Hoffmann

This fixes the following vulnerability:

- CVE-2025-54121:
    Starlette is a lightweight ASGI (Asynchronous Server Gateway
    Interface) framework/toolkit, designed for building async web services
    in Python. In versions 0.47.1 and below, when parsing a multi-part
    form with large files (greater than the default max spool size)
    starlette will block the main thread to roll the file over to disk.
    This blocks the event thread which means the application can't accept
    new connections. The UploadFile code has a minor bug where instead of
    just checking for self._in_memory, the logic should also check if the
    additional bytes will cause a rollover. The vulnerability is fixed in
    version 0.47.2.
    https://www.cve.org/CVERecord?id=CVE-2025-54121

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 package/python-starlette/python-starlette.hash | 4 ++--
 package/python-starlette/python-starlette.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-starlette/python-starlette.hash b/package/python-starlette/python-starlette.hash
index be23e4ccb1..5939eb198f 100644
--- a/package/python-starlette/python-starlette.hash
+++ b/package/python-starlette/python-starlette.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/starlette/json
-md5  b876ddd8665f70bb74e45d1fda053699  starlette-0.47.1.tar.gz
-sha256  aef012dd2b6be325ffa16698f9dc533614fb1cebd593a906b90dc1025529a79b  starlette-0.47.1.tar.gz
+md5  b58c9f8d38df9946689cb3e9f94555da  starlette-0.47.2.tar.gz
+sha256  6ae9aa5db235e4846decc1e7b79c4f346adf41e9777aebeb49dfd09bbd7023d8  starlette-0.47.2.tar.gz
 # Locally computed sha256 checksums
 sha256  dcb95677a02240243187e964f941847d19b17821cf99e5afae684fab328c19bf  LICENSE.md
diff --git a/package/python-starlette/python-starlette.mk b/package/python-starlette/python-starlette.mk
index eb49230600..4037903cc5 100644
--- a/package/python-starlette/python-starlette.mk
+++ b/package/python-starlette/python-starlette.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_STARLETTE_VERSION = 0.47.1
+PYTHON_STARLETTE_VERSION = 0.47.2
 PYTHON_STARLETTE_SOURCE = starlette-$(PYTHON_STARLETTE_VERSION).tar.gz
-PYTHON_STARLETTE_SITE = https://files.pythonhosted.org/packages/0a/69/662169fdb92fb96ec3eaee218cf540a629d629c86d7993d9651226a6789b
+PYTHON_STARLETTE_SITE = https://files.pythonhosted.org/packages/04/57/d062573f391d062710d4088fa1369428c38d51460ab6fedff920efef932e
 PYTHON_STARLETTE_SETUP_TYPE = hatch
 PYTHON_STARLETTE_LICENSE = BSD-3-Clause
 PYTHON_STARLETTE_LICENSE_FILES = LICENSE.md
-- 
2.50.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python-starlette: security bump to v0.47.2
  2025-07-22 11:10 [Buildroot] [PATCH] package/python-starlette: security bump to v0.47.2 Titouan Christophe via buildroot
@ 2025-07-22 12:31 ` Marcus Hoffmann via buildroot
  2025-07-22 17:13 ` Julien Olivain via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Marcus Hoffmann via buildroot @ 2025-07-22 12:31 UTC (permalink / raw)
  To: buildroot

Hi!

On 22.07.25 13:10, Titouan Christophe via buildroot wrote:
> This fixes the following vulnerability:
> 
> - CVE-2025-54121:
>      Starlette is a lightweight ASGI (Asynchronous Server Gateway
>      Interface) framework/toolkit, designed for building async web services
>      in Python. In versions 0.47.1 and below, when parsing a multi-part
>      form with large files (greater than the default max spool size)
>      starlette will block the main thread to roll the file over to disk.
>      This blocks the event thread which means the application can't accept
>      new connections. The UploadFile code has a minor bug where instead of
>      just checking for self._in_memory, the logic should also check if the
>      additional bytes will cause a rollover. The vulnerability is fixed in
>      version 0.47.2.
>      https://www.cve.org/CVERecord?id=CVE-2025-54121
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>

> ---

[...]

Marcus
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python-starlette: security bump to v0.47.2
  2025-07-22 11:10 [Buildroot] [PATCH] package/python-starlette: security bump to v0.47.2 Titouan Christophe via buildroot
  2025-07-22 12:31 ` Marcus Hoffmann via buildroot
@ 2025-07-22 17:13 ` Julien Olivain via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Julien Olivain via buildroot @ 2025-07-22 17:13 UTC (permalink / raw)
  To: Titouan Christophe; +Cc: buildroot, James Hilliard, Marcus Hoffmann

On 22/07/2025 13:10, Titouan Christophe via buildroot wrote:
> This fixes the following vulnerability:
> 
> - CVE-2025-54121:
>     Starlette is a lightweight ASGI (Asynchronous Server Gateway
>     Interface) framework/toolkit, designed for building async web 
> services
>     in Python. In versions 0.47.1 and below, when parsing a multi-part
>     form with large files (greater than the default max spool size)
>     starlette will block the main thread to roll the file over to disk.
>     This blocks the event thread which means the application can't 
> accept
>     new connections. The UploadFile code has a minor bug where instead 
> of
>     just checking for self._in_memory, the logic should also check if 
> the
>     additional bytes will cause a rollover. The vulnerability is fixed 
> in
>     version 0.47.2.
>     https://www.cve.org/CVERecord?id=CVE-2025-54121
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-22 17:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-22 11:10 [Buildroot] [PATCH] package/python-starlette: security bump to v0.47.2 Titouan Christophe via buildroot
2025-07-22 12:31 ` Marcus Hoffmann via buildroot
2025-07-22 17:13 ` Julien Olivain via buildroot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.