Version in base suite: 0.46.1-3+deb13u1 Base version: starlette_0.46.1-3+deb13u1 Target version: starlette_0.46.1-3+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/starlette/starlette_0.46.1-3+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/starlette/starlette_0.46.1-3+deb13u2.dsc changelog | 6 +++ patches/CVE-2026-48710.patch | 69 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 76 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpwt4bxn6_/starlette_0.46.1-3+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpwt4bxn6_/starlette_0.46.1-3+deb13u2.dsc: no acceptable signature found diff -Nru starlette-0.46.1/debian/changelog starlette-0.46.1/debian/changelog --- starlette-0.46.1/debian/changelog 2026-01-19 19:57:07.000000000 +0000 +++ starlette-0.46.1/debian/changelog 2026-05-25 15:26:48.000000000 +0000 @@ -1,3 +1,9 @@ +starlette (0.46.1-3+deb13u2) trixie-security; urgency=medium + + * CVE-2026-48710 (Closes: #1137375) + + -- Moritz Mühlenhoff Mon, 25 May 2026 17:26:48 +0200 + starlette (0.46.1-3+deb13u1) trixie; urgency=medium * Team upload. diff -Nru starlette-0.46.1/debian/patches/CVE-2026-48710.patch starlette-0.46.1/debian/patches/CVE-2026-48710.patch --- starlette-0.46.1/debian/patches/CVE-2026-48710.patch 1970-01-01 00:00:00.000000000 +0000 +++ starlette-0.46.1/debian/patches/CVE-2026-48710.patch 2026-05-25 15:26:45.000000000 +0000 @@ -0,0 +1,69 @@ +From 764dab0dcfb9033d75442d7a359645c9f94648c6 Mon Sep 17 00:00:00 2001 +From: Marcelo Trylesinski +Date: Thu, 21 May 2026 18:49:37 +0200 +Subject: [PATCH] Ignore malformed `Host` header when constructing + `request.url` (#3279) + +--- starlette-0.46.1.orig/starlette/datastructures.py ++++ starlette-0.46.1/starlette/datastructures.py +@@ -1,5 +1,6 @@ + from __future__ import annotations + ++import re + import typing + from shlex import shlex + from urllib.parse import SplitResult, parse_qsl, urlencode, urlsplit +@@ -19,6 +20,9 @@ _KeyType = typing.TypeVar("_KeyType") + # that is, you can't do `Mapping[str, Animal]()["fido"] = Dog()` + _CovariantValueType = typing.TypeVar("_CovariantValueType", covariant=True) + ++# Rejects Host header chars (/, ?, #, @, ...) that would let urlsplit produce a path differing from scope["path"]. ++_HOST_RE = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])(?::[0-9]+)?$", re.IGNORECASE) ++ + + class URL: + def __init__( +@@ -41,7 +45,7 @@ class URL: + host_header = value.decode("latin-1") + break + +- if host_header is not None: ++ if host_header is not None and _HOST_RE.fullmatch(host_header): + url = f"{scheme}://{host_header}{path}" + elif server is None: + url = path +--- starlette-0.46.1.orig/tests/test_datastructures.py ++++ starlette-0.46.1/tests/test_datastructures.py +@@ -159,6 +159,32 @@ def test_url_from_scope() -> None: + assert repr(u) == "URL('http://example.com:8000/some/path?query=string')" + + ++@pytest.mark.parametrize( ++ "host", ++ [ ++ pytest.param(b"foo/?x=", id="question-mark"), ++ pytest.param(b"foo/#", id="hash"), ++ pytest.param(b"foo/bar", id="slash"), ++ pytest.param(b"user@foo", id="at-sign"), ++ pytest.param(b"foo\\bar", id="backslash"), ++ pytest.param(b"foo bar", id="space"), ++ ], ++) ++def test_url_from_scope_with_invalid_host(host: bytes) -> None: ++ """An invalid Host header should be ignored, falling back to the server tuple.""" ++ u = URL( ++ scope={ ++ "scheme": "http", ++ "server": ("example.com", 80), ++ "path": "/admin", ++ "query_string": b"", ++ "headers": [(b"host", host)], ++ } ++ ) ++ assert u.path == "/admin" ++ assert u.netloc == "example.com" ++ ++ + def test_headers() -> None: + h = Headers(raw=[(b"a", b"123"), (b"a", b"456"), (b"b", b"789")]) + assert "a" in h diff -Nru starlette-0.46.1/debian/patches/series starlette-0.46.1/debian/patches/series --- starlette-0.46.1/debian/patches/series 2026-01-19 19:57:07.000000000 +0000 +++ starlette-0.46.1/debian/patches/series 2026-05-25 15:26:34.000000000 +0000 @@ -1,3 +1,4 @@ json-format.patch 0002-fix-cve-2024-28849-async-write.patch CVE-2025-62727.patch +CVE-2026-48710.patch