Your message dated Sun, 08 Dec 2024 17:32:09 +0000
with message-id <e1tkl8b-00etji...@fasolo.debian.org>
and subject line Bug#1086062: fixed in python-werkzeug 2.2.2-3+deb12u1
has caused the Debian Bug report #1086062,
regarding python-werkzeug: CVE-2024-49767
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086062: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086062
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-werkzeug
Version: 3.0.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-werkzeug.
CVE-2024-49767[0]:
| Werkzeug is a Web Server Gateway Interface web application library.
| Applications using `werkzeug.formparser.MultiPartParser`
| corresponding to a version of Werkzeug prior to 3.0.6 to parse
| `multipart/form-data` requests (e.g. all flask applications) are
| vulnerable to a relatively simple but effective resource exhaustion
| (denial of service) attack. A specifically crafted form submission
| request can cause the parser to allocate and block 3 to 8 times the
| upload size in main memory. There is no upper limit; a single upload
| at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.
| Werkzeug version 3.0.6 fixes this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-49767
https://www.cve.org/CVERecord?id=CVE-2024-49767
[1] https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
[2]
https://github.com/pallets/werkzeug/commit/8760275afb72bd10b57d92cb4d52abf759b2f3a7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-werkzeug
Source-Version: 2.2.2-3+deb12u1
Done: Sean Whitton <spwhit...@spwhitton.name>
We believe that the bug you reported is fixed in the latest version of
python-werkzeug, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sean Whitton <spwhit...@spwhitton.name> (supplier of updated python-werkzeug
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Dec 2024 16:44:56 +0800
Source: python-werkzeug
Architecture: source
Version: 2.2.2-3+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Sean Whitton <spwhit...@spwhitton.name>
Closes: 1054553 1070711 1086062
Changes:
python-werkzeug (2.2.2-3+deb12u1) bookworm; urgency=high
.
* Backport upstream fix for CVE-2023-46136
(denial of service when file upload begins with CR or LF)
(Closes: #1054553).
* Backport upstream fixes for CVE-2024-34069
(arbitrary code execution on developer's machine via the debugger)
(Closes: #1070711).
* Backport upstream fix for CVE-2024-49767
(denial of service when processing multipart/form-data requests)
(Closes: #1086062).
Checksums-Sha1:
564bdc41c16af520e84fea8a64e4b396ace11943 2760
python-werkzeug_2.2.2-3+deb12u1.dsc
4807723cdea3666c001068bbcbf70d5f6c3a5f2a 16648
python-werkzeug_2.2.2-3+deb12u1.debian.tar.xz
Checksums-Sha256:
dc96b1bd611993c7e9b5deebea43e676e96f5c35b9e9f4fd5eea5a96b3afdd0f 2760
python-werkzeug_2.2.2-3+deb12u1.dsc
7c2f39f24182e433fea2ecee1e60839485614628af236ee92d4e7f3f0f1e25c0 16648
python-werkzeug_2.2.2-3+deb12u1.debian.tar.xz
Files:
6f642302401d59600ad541fd7c3c0e1d 2760 python optional
python-werkzeug_2.2.2-3+deb12u1.dsc
19f7708a39698a1ea1072e457528e734 16648 python optional
python-werkzeug_2.2.2-3+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmdUC5gACgkQaVt65L8G
YkBVsw/9Hh+r4VbvRb+ojwMDuAJ4vH0p6KHygIwr5GepUlBLp4g3+rAb2K9BL6+z
/pvIScUczrbfL6DrDLi+/6WJu9TKlZMbPt2d/NEWLE6XHJrdisacXIRxttcNLELE
i9yWE73UsMPNrpeemexaQQdZgSGIiP8axECNrI2OfldSyAAH+VwYGr0Tme3VClmF
bJgKO9+4eV2p0CWzWVZjyEBU3PCuNamgYYY6PUE68y4HAd0mxVyKOY+DHEZH8xKc
iJI7NMcCzkhsLDULDT86IqCxXu5wl94q4GbVR/kpTLP8LFppIB1HKTg5K2HMgWVo
BwGOvM4NUmLS5hnIFlTDh7NQD7ZH5nDKWjE6etH8UjGs1YPJPXu4RKWZ0XI/wDMu
5Fgv3si9Q0e6IPYi5FoBy6iHSxxZMPNg7qiQuLdnzEHQovPYIoe8z6xaLejk5KAX
LXQVB0RToZnhadDRAtfEgLUEr2s5kFND/wTFyOJf3BlhlIJu2UvFsD+ACmyQZ91k
EwqOc13q7bbFT8K8m6PfZN2GCHBxw6Ys/oIqoLvNbwQF7dtCF5SWEwpXkZS03+Ff
cUWnseXfS7dnVU3WSo+4Umzx+gn4yM3QBlIMDSffiV1VyMS8FAzyXDqGeR7Hadwd
Psvxtv4qfOmVO6k0HechAsXnMS7S2+8VEkrry1CTtzYNVVqi7AQ=
=7GNi
-----END PGP SIGNATURE-----
pgpS5ZCMSjhVS.pgp
Description: PGP signature
--- End Message ---
