Bug 2495855
| Summary: | CVE-2026-53540 python-python-multipart: Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory [epel-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | jkelly <jkelly> |
| Component: | python-python-multipart | Assignee: | Ben Beasley <code> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | epel10 | CC: | code, python-packagers-sig |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["464df854-1566-42f7-97c9-92e41ad757e5"]} | ||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-07-01 09:50:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2491443 | ||
|
Description
jkelly
2026-07-01 08:49:05 UTC
https://www.cve.org/CVERecord?id=CVE-2026-53540 https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf The EPEL10 branch already has a version containing the fix. The EPEL9 branch is affected, but an incompatible update would be required, and backporting, while it may be straightforward if the surrounding code hasn’t diverged too much, seems like work that isn’t justified by the low severity of this CVE. I believe that the fix comprises https://github.com/Kludex/python-multipart/commit/6b837d47bc68826ed5cbbcb50c6c6a6093444494 and https://github.com/Kludex/python-multipart/commit/c814948acf509cef7881fa75c969969b19239bbf, and I would accept a reasonable PR backporting these to EPEL9, but I don’t plan to work on it myself. |