Version in base suite: 1.2.1-2

Base version: multipart_1.2.1-2
Target version: multipart_1.2.1-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/multipart/multipart_1.2.1-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/multipart/multipart_1.2.1-2+deb13u1.dsc

 .gitignore                   |    1 -
 changelog                    |    6 ++++++
 patches/CVE-2026-28356.patch |   23 +++++++++++++++++++++++
 patches/series               |    1 +
 4 files changed, 30 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpumxtt0dr/multipart_1.2.1-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpumxtt0dr/multipart_1.2.1-2+deb13u1.dsc: no acceptable signature found
diff -Nru multipart-1.2.1/debian/.gitignore multipart-1.2.1/debian/.gitignore
--- multipart-1.2.1/debian/.gitignore	2024-12-22 11:17:51.000000000 +0000
+++ multipart-1.2.1/debian/.gitignore	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-/files
diff -Nru multipart-1.2.1/debian/changelog multipart-1.2.1/debian/changelog
--- multipart-1.2.1/debian/changelog	2024-12-22 11:17:51.000000000 +0000
+++ multipart-1.2.1/debian/changelog	2026-03-11 10:10:45.000000000 +0000
@@ -1,3 +1,9 @@
+multipart (1.2.1-2+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2026-28356: Fix ReDoS in parse_options_header.
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 11 Mar 2026 10:10:45 +0000
+
 multipart (1.2.1-2) unstable; urgency=medium
 
   * Source-only reupload.
diff -Nru multipart-1.2.1/debian/patches/CVE-2026-28356.patch multipart-1.2.1/debian/patches/CVE-2026-28356.patch
--- multipart-1.2.1/debian/patches/CVE-2026-28356.patch	1970-01-01 00:00:00.000000000 +0000
+++ multipart-1.2.1/debian/patches/CVE-2026-28356.patch	2026-02-27 12:21:06.000000000 +0000
@@ -0,0 +1,23 @@
+From: Marcel Hellkamp <marc@gsites.de>
+Date: Fri, 27 Feb 2026 10:16:29 +0100
+Subject: fix: Header parser performance
+
+Origin: backport, https://github.com/defnull/multipart/commit/30ad444d00df28fb10690690db4662962bda5c74
+Last-Update: 2026-02-27
+---
+ multipart.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/multipart.py b/multipart.py
+index 762770e..2f4259c 100644
+--- a/multipart.py
++++ b/multipart.py
+@@ -182,7 +182,7 @@ class _cached_property:
+ _token="[a-zA-Z0-9-!#$%&'*+.^_`|~]+" 
+ _re_istoken = re.compile("^%s$" % _token, re.ASCII)
+ # A token or quoted-string (simple qs | token | slow qs)
+-_value = r'"[^\\"]*"|%s|"(?:\\.|[^"])*"' % _token
++_value = r'"[^\\"]*"|%s|"(?:\\.|[^\\"])*"' % _token
+ # A "; key=value" pair from content-disposition header
+ _option = r'; *(%s) *= *(%s)' % (_token, _value)
+ _re_option = re.compile(_option)
diff -Nru multipart-1.2.1/debian/patches/series multipart-1.2.1/debian/patches/series
--- multipart-1.2.1/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ multipart-1.2.1/debian/patches/series	2026-03-11 10:06:55.000000000 +0000
@@ -0,0 +1 @@
+CVE-2026-28356.patch