UbuntuUpdates.org

Package "python-werkzeug"

Name: python-werkzeug

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • documentation for the werkzeug Python library (docs)
  • collection of utilities for WSGI applications (Python 3.x)
Latest version: 2.0.2+dfsg1-1ubuntu0.22.04.3
Release: jammy (22.04)
Level: security
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "python-werkzeug" in Jammy

Repository Area Version
base main 2.0.2+dfsg1-1
updates main 2.0.2+dfsg1-1ubuntu0.22.04.3
PPA: Postgresql 0.16.0+dfsg1-1
PPA: Postgresql 0.16.0+dfsg1-1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.0.2+dfsg1-1ubuntu0.22.04.3 2024-11-05 23:07:01 UTC

  python-werkzeug (2.0.2+dfsg1-1ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via memory consumption
    - debian/patches/CVE-2024-49767.patch: apply max_form_memory_size
      another level up in the parser in src/werkzeug/formparser.py,
      src/werkzeug/sansio/multipart.py, tests/test_formparser.py.
    - CVE-2024-49767

 -- Marc Deslauriers <email address hidden> Wed, 30 Oct 2024 14:32:22 +0100
Source diff to previous version
CVE-2024-49767 Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a versi

Version: 2.0.2+dfsg1-1ubuntu0.22.04.2 2024-05-29 18:08:17 UTC

  python-werkzeug (2.0.2+dfsg1-1ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: remote code execution
    - debian/patches/CVE-2024-34069.patch: restrict debugger trusted hosts
    - CVE-2024-34069

 -- Fabian Toepfer <email address hidden> Tue, 21 May 2024 22:00:37 +0200
Source diff to previous version
CVE-2024-34069 Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a de

Version: 2.0.2+dfsg1-1ubuntu0.22.04.1 2023-03-13 17:06:58 UTC

  python-werkzeug (2.0.2+dfsg1-1ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Shadow cookie with nameless cookie
    - debian/patches/CVE-2023-23934.patch: don't strip leading = when
      parsing cookie.
    - CVE-2023-23934
  * SECURITY UPDATE: DoS when processing unlimited multipart form data parts
    - debian/patches/CVE-2023-25577.patch: limit the maximum number of
      multipart form parts.
    - CVE-2023-25577

 -- Fabian Toepfer <email address hidden> Fri, 10 Mar 2023 13:55:03 +0100
CVE-2023-23934 Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vul
CVE-2023-25577 Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited numbe


About   -   Send Feedback to @ubuntu_updates