Your message dated Sun, 24 Nov 2024 09:20:00 +0000
with message-id <e1tf8me-00do27...@fasolo.debian.org>
and subject line Bug#1086062: fixed in python-werkzeug 3.1.3-1
has caused the Debian Bug report #1086062,
regarding python-werkzeug: CVE-2024-49767
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086062
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-werkzeug
Version: 3.0.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-werkzeug.
CVE-2024-49767[0]:
| Werkzeug is a Web Server Gateway Interface web application library.
| Applications using `werkzeug.formparser.MultiPartParser`
| corresponding to a version of Werkzeug prior to 3.0.6 to parse
| `multipart/form-data` requests (e.g. all flask applications) are
| vulnerable to a relatively simple but effective resource exhaustion
| (denial of service) attack. A specifically crafted form submission
| request can cause the parser to allocate and block 3 to 8 times the
| upload size in main memory. There is no upper limit; a single upload
| at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.
| Werkzeug version 3.0.6 fixes this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-49767
https://www.cve.org/CVERecord?id=CVE-2024-49767
[1] https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
[2]
https://github.com/pallets/werkzeug/commit/8760275afb72bd10b57d92cb4d52abf759b2f3a7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-werkzeug
Source-Version: 3.1.3-1
Done: Carsten Schoenert <c.schoen...@t-online.de>
We believe that the bug you reported is fixed in the latest version of
python-werkzeug, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <c.schoen...@t-online.de> (supplier of updated
python-werkzeug package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Nov 2024 08:50:18 +0100
Source: python-werkzeug
Architecture: source
Version: 3.1.3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Carsten Schoenert <c.schoen...@t-online.de>
Closes: 1065427 1086062
Changes:
python-werkzeug (3.1.3-1) experimental; urgency=medium
.
* Team upload
* [a3a30e6] d/control: Sort the binary packages alphabetical
* [f09c7a3] New upstream version 3.1.3
Fixes CVE-2024-49767
(Closes: #1086062)
* [8afd1df] Rebuild patch queue from patch-queue branch
Dropped patch (included upstream):
tests-Preserve-any-existing-PYTHONPATH-in-tests.patch
* [edf459d] d/rules: Add variable PYBUILD_TEST_ARGS
We need to ignore some tests at build time now.
* [1346e45] d/rules: Drop -D option from SPHINXOPTS
* [804f129] d/control: python3-werkzeug - Drop dep on jibjs-jquery
(Closes: #1065427)
Checksums-Sha1:
0b567e03e1a8f74faa2e330dd0a241a0ccb2a194 2806 python-werkzeug_3.1.3-1.dsc
2dddedea43d70bba65cae6f10e2072d6ab357df8 723016
python-werkzeug_3.1.3.orig.tar.xz
d5ec656b980453e09e495eaecf5fdcda16c3999b 17752
python-werkzeug_3.1.3-1.debian.tar.xz
dafea7dd041e4d21b2df84fcf94652ae5f446f73 9364
python-werkzeug_3.1.3-1_amd64.buildinfo
Checksums-Sha256:
a02d692fd00f7e4127437813f9eaf26706fc7cf57d320ec61027b22224b93238 2806
python-werkzeug_3.1.3-1.dsc
9df144af2fe91ba85d036ba6abb11dc12a711f340ece492124ff26a4c8aa1e66 723016
python-werkzeug_3.1.3.orig.tar.xz
7b86aac64aba23a066f77ac09a151f9f7b127a245501e0c9c7557b9191337871 17752
python-werkzeug_3.1.3-1.debian.tar.xz
d606eebe6c2ab5a1d9b09238634f6d473d331cf4da419910c05e76a2ed5deb94 9364
python-werkzeug_3.1.3-1_amd64.buildinfo
Files:
30d5fa5fc37de032309695943536ea2e 2806 python optional
python-werkzeug_3.1.3-1.dsc
fc8cc39e6986bf308ef0dfe276af1bda 723016 python optional
python-werkzeug_3.1.3.orig.tar.xz
cc8617209d3f88a8ea9b73561768e118 17752 python optional
python-werkzeug_3.1.3-1.debian.tar.xz
c2fb279cec04a3290d32aff8cc058a00 9364 python optional
python-werkzeug_3.1.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJMBAEBCgA2FiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmdC38UYHGMuc2Nob2Vu
ZXJ0QHQtb25saW5lLmRlAAoJEIMBYBQlHR2wpXEP/2J2IzP+KjAktgtLck0dQtgl
VYDBZPwKEAI+juB8LodLjlKgA0QCZ3/ogP4WoSqy9k3O8rCEvspa5gYYSWlrPBsX
oY8uaHeZVWZG2vV3fIM4PYzR889tXKg0p9ip6u/ZyUw3Y02cMD+3HFkJO1jlHkD8
oL27h6x2m4cNQCG+Scbcw+a41iRzjMm5rPbsdvYUYbuuQJrxPHcAAbXbLuIiENEw
E9KVfZRn2nvx+0Nf6UxVzw8vhDtFpm7VyWFrnFLcgiJ7j1yviycAJsw6L6Vo8i7v
dBpSSJtoozG9l96Eqtmqw7NpERKw8iWD3HNB0zaIyJ3BLXBn62FgQ/FH1zUeHanV
oYxhUCq845S0GyhjC0TmrjdFug6wT6rO7X0iXHRdp339dxWU3jhLh8xCzhNao6b8
Mqr0vQEqWWP2YZ0aXFz41AYSrZEhMLcKKVNzUEdPPmHLoHCo25I81ba8sRYxa6OA
ZcPqZRiQ0iQS3vcdXaeqHjVlXJF35JFpgRmndhPmfx4dvirD+V/Nf8RzZI5aSs0L
OyyhjS+BdlLNMT+PTZlUHjOZGApRV06UQ4dCCbEF2+1ZeRun2xtNQwvApARNoLmR
xAJ716SaJ8/h5qW3HzNnKVNMKUKoH10Mkg3lLC5hlhfvKix+cz6OrKhlZ9MILIDV
l93E/L6+1Fy8/ASFcQik
=uvA/
-----END PGP SIGNATURE-----
pgpY8xRv870Do.pgp
Description: PGP signature
--- End Message ---
