Hi,

The following vulnerability was published for uriparser.

CVE-2026-42371[0]:
| uriparser before 1.0.1 has numeric truncation in text range
| comparison, if an application accepts URIs with a length in
| gigabytes.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42371
https://www.cve.org/CVERecord?id=CVE-2026-42371
[1] https://github.com/uriparser/uriparser/pull/298

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
uriparser, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1135109@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jörg Frings-Fürst <debian@jff.email> (supplier of updated uriparser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 08 May 2026 14:11:22 +0200
Source: uriparser
Architecture: source
Version: 1.0.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Jörg Frings-Fürst <debian@jff.email>
Changed-By: Jörg Frings-Fürst <debian@jff.email>
Closes: 1123086 1135109
Changes:
 uriparser (1.0.1+dfsg-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #1123086, #1135109, CVE-2025-67899,
     CVE-2026-42371):
     - Refresh debian/patches/0001-missing_pthread.patch.
   * debian/copyright:
     - Fix old FSF address.
     - Add year 2026 to myself.
     - Refresh for new release.
   * Declare compliance with Debian Policy 4.7.4.1 (No changes needed).
   * debian/control:
     - Remove redundant Priority and Rules-Requires-Root.
   * Rebuild debian/liburiparser1.symbols.
Checksums-Sha1:
 168f271813b375fa295a3cad2b740f384ece0d88 1945 uriparser_1.0.1+dfsg-1.dsc
 3f5509def5fefa2252e4354ff8c3a2f157ceec04 121280 uriparser_1.0.1+dfsg.orig.tar.xz
 85dc29cb916d7c2db925019230d8a2a6bab06435 8736 uriparser_1.0.1+dfsg-1.debian.tar.xz
 19bdd2f084c93c7533947fe8ee268de346885529 12436 uriparser_1.0.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 02230f972c05be935c10662b68b58786add78e78fc637f0ad7290e92c346aac8 1945 uriparser_1.0.1+dfsg-1.dsc
 ce9aaf675dcf92f08e4389e4fd21746dcf439b5227038489af88042e6aae739c 121280 uriparser_1.0.1+dfsg.orig.tar.xz
 e96f1fb995198edf63ebb3bccb3acf5da4a7329979805702b147774143adf431 8736 uriparser_1.0.1+dfsg-1.debian.tar.xz
 4849258f6a651a4ed7935348b640f9c06b135bfeda7a0996d14b4376ef1575c9 12436 uriparser_1.0.1+dfsg-1_source.buildinfo
Files:
 dcea63a939c377f80ae6b5e6ace2706a 1945 libs optional uriparser_1.0.1+dfsg-1.dsc
 bbf620268fb606b365dd3f8beb741599 121280 libs optional uriparser_1.0.1+dfsg.orig.tar.xz
 48a88a3f7ca017b71150afcc1430f926 8736 libs optional uriparser_1.0.1+dfsg-1.debian.tar.xz
 232647a1d8cedec3d9b34996636f3a5b 12436 libs optional uriparser_1.0.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmorqn4QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFHKNC/9iRlYwgzNlrx2Y7IRSzvVwXoLARz3ei8xV
FmmfSE79wJlBPOySnGiE3rMyk3pJZ7+GfoTFO4eK1vEZ0Bs7QtwSVCoG6QoRpe3n
yvcV7kvR+gRpMnNzIJwxaREmqmzXRQNkjG1Y2C1VSI3pncisMQpR/PLLMZ9OGrxB
vFvH5hIgv/VnJfD4QmW0C9ugFT1I7acfApS80GpwiVyUVrf6UP/IhO2YiS6GQnt1
28pum6DLDVBmrqz/BdkcRaSDkuqzNtdqWFJJmmVOrl3I9fC5AExGCzBCMLZ3ERS+
Y89Mrdy4h9mku9Ge/uTfXSGx1ebiQimr3oxjlGnTgc8mjpdUw/zSKXpcKYTgLaG4
h+GqaSMCWRZrYMoEntWEoffpcNhD13gmmqU8Q8HV/gYPz3pl4DC/EYSuMcE4F2Ef
bINv6zabLBKKbRqQLu/UdSbniePeemSBocGY0cI9qcL+TW4MgGVFdck2NdYM8N42
RZv1iz6vxjC3d1gEjUjdtShvajoRk+8=
=8chD
-----END PGP SIGNATURE-----