Your message dated Fri, 21 Apr 2023 12:11:24 +0000 with message-id <e1pppbo-008pef...@fasolo.debian.org> and subject line Bug#1031370: fixed in python-werkzeug 2.2.2-3 has caused the Debian Bug report #1031370, regarding python-werkzeug: CVE-2023-23934 CVE-2023-25577 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1031370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031370 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-werkzeug Version: 2.2.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for python-werkzeug. CVE-2023-23934[0]: | Werkzeug is a comprehensive WSGI web application library. Browsers may | allow "nameless" cookies that look like `=value` instead of | `key=value`. A vulnerable browser may allow a compromised application | on an adjacent subdomain to exploit this to set a cookie like | `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will | parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug | application is running next to a vulnerable or malicious subdomain | which sets such a cookie using a vulnerable browser, the Werkzeug | application will see the bad cookie value but the valid cookie key. | The issue is fixed in Werkzeug 2.2.3. CVE-2023-25577[1]: | Werkzeug is a comprehensive WSGI web application library. Prior to | version 2.2.3, Werkzeug's multipart form data parser will parse an | unlimited number of parts, including file parts. Parts can be a small | amount of bytes, but each requires CPU time to parse and may use more | memory as Python data. If a request can be made to an endpoint that | accesses `request.data`, `request.form`, `request.files`, or | `request.get_data(parse_form_data=False)`, it can cause unexpectedly | high resource usage. This allows an attacker to cause a denial of | service by sending crafted multipart data to an endpoint that will | parse it. The amount of CPU time required can block worker processes | from handling legitimate requests. The amount of RAM required can | trigger an out of memory kill of the process. Unlimited file parts can | use up memory and file handles. If many concurrent requests are sent | continuously, this can exhaust or kill all available workers. Version | 2.2.3 contains a patch for this issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23934 https://www.cve.org/CVERecord?id=CVE-2023-23934 [1] https://security-tracker.debian.org/tracker/CVE-2023-25577 https://www.cve.org/CVERecord?id=CVE-2023-25577 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-werkzeug Source-Version: 2.2.2-3 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of python-werkzeug, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1031...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated python-werkzeug package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 21 Apr 2023 13:37:22 +0200 Source: python-werkzeug Architecture: source Version: 2.2.2-3 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 1031370 Changes: python-werkzeug (2.2.2-3) unstable; urgency=medium . [ Robin Gustafsson ] * Fix security vulnerabilities (CVE-2023-23934, CVE-2023-25577, Closes: #1031370) Checksums-Sha1: 0949582ea5035d7df55c0737da56b69373d65cb0 2600 python-werkzeug_2.2.2-3.dsc 7bb56801b33526e8e52eae230f9f86db9197c03d 12184 python-werkzeug_2.2.2-3.debian.tar.xz ae32236f77ecf2e77cf488cc1e5fa751b0bacf46 8771 python-werkzeug_2.2.2-3_amd64.buildinfo Checksums-Sha256: 7e10718683502a93723879cc8e56feaf6bd107e69e27b2d3a9bf9f7fb603bd74 2600 python-werkzeug_2.2.2-3.dsc 6813b88fafe04f713f0d122361b4a36b4a842ba1dbc8831f077331ef96e4bcd4 12184 python-werkzeug_2.2.2-3.debian.tar.xz 842209197abe92f58e40d65807c022da5b897a13ec31bb7a3d24c3f6edc21fb5 8771 python-werkzeug_2.2.2-3_amd64.buildinfo Files: ea8e6e5a6b2b4253aa3ca40e1fcf5eec 2600 python optional python-werkzeug_2.2.2-3.dsc a0c5d7db12ffa78fa0d21656f7a729ca 12184 python optional python-werkzeug_2.2.2-3.debian.tar.xz bba4dd0a5426203dae89da2d06db2b01 8771 python optional python-werkzeug_2.2.2-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmRCeH0ACgkQ1BatFaxr Q/7VmBAAjEIQnu4eGmLiQacis0E3LgKuL0SUJtmbQv8QVlTjZNpY0QqEi/E1vpEW j2jEkgxrQy+BcpbvtayANMN754e+NyZj0wm4px+cx410bBLkUtzYlz2BrPfKYgYk zEpyG2B3vcLCDV7JnVy1rnLR5+LgY9CA1we0xawqvhe8PiGTsO9D5PkZ4em/UiX1 F0V7kC6Lhe0wq/OoXRTEqIXtIBKKqmqLuOXdidmyfxoVuIDT4UXs9pgMonvz7ADc BlZ+eLcuzNvGAePnoqa7dfFNahAMp63z3hMq0W18QY7D4tLzJR/JESyQPCuvuLqi EM2nULYWYsIbvaHjnKMPmS6f5Xd80SxBarP5obx8QI71jHQoU+StFaMOzVpCFs1b jIAnL8vPc8mI3LzEjifWrNBHoJCW0TnilNnsW7GLV5Vhon6fUobtaiPIekSDR/Nk k0uKm9GAZjW1qOXJ2vBQwfwa8q5qLrZjXgTvlqiYTwFFt/2cYzVtEvU9GjUwRM+g 2yAraxAKuUFLcswYhw+TbLbHKi3awEgIpd0+eKSCcrbT4siW1UAlikBxwMq6SavW neaAwBlIQ71BIdRRmUATAGYb5HnSKKt7gAXgkit5B6PJ+LmcSvfpFFqEVDmP33Rk oi38uwxjCy+nWI9vbFOnfHN0Ze5Ta0LfC7DRV7gdtcSOYF/a65g= =VZ46 -----END PGP SIGNATURE-----
--- End Message ---
