Package: python-werkzeug | Debian Sources

Package: python-werkzeug / 2.2.2-3+deb12u1

Metadata

Package	Version	Patches format
python-werkzeug	2.2.2-3+deb12u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
preserve any existing PYTHONPATH in tests.patch \| (download)	tests/conftest.py \| 10 8 + 2 - 0 ! 1 file changed, 8 insertions(+), 2 deletions(-)	[patch] preserve any existing pythonpath in tests
remove test_exclude_patterns test.patch \| (download)	tests/test_serving.py \| 10 0 + 10 - 0 ! 1 file changed, 10 deletions(-)	remove test_exclude_patterns test Under the sbuild environment, the asert doesn't work and sys.prefix gets wrong. So I'm just removing this test.
0003 don t strip leading when parsing cookie.patch \| (download)	src/werkzeug/_internal.py \| 13 9 + 4 - 0 ! src/werkzeug/sansio/http.py \| 4 0 + 4 - 0 ! tests/test_http.py \| 4 3 + 1 - 0 ! 3 files changed, 12 insertions(+), 9 deletions(-)	cve-2023-23934: don't strip leading = when parsing cookie
0004 limit the maximum number of multipart form parts.patch \| (download)	docs/request_data.rst \| 37 20 + 17 - 0 ! src/werkzeug/formparser.py \| 12 11 + 1 - 0 ! src/werkzeug/sansio/multipart.py \| 8 8 + 0 - 0 ! src/werkzeug/wrappers/request.py \| 8 8 + 0 - 0 ! tests/test_formparser.py \| 9 9 + 0 - 0 ! 5 files changed, 56 insertions(+), 18 deletions(-)	cve-2023-25577: limit the maximum number of multipart form parts
CVE 2023 46136.patch \| (download)	src/werkzeug/sansio/multipart.py \| 10 9 + 1 - 0 ! 1 file changed, 9 insertions(+), 1 deletion(-)	fix: slow multipart parsing for huge files with few cr/lf characters (cherry picked from commit b1916c0c083e0be1c9d887ee2f3d696922bfc5c1)
CVE 2024 34069 1.patch \| (download)	docs/debug.rst \| 35 30 + 5 - 0 ! src/werkzeug/debug/__init__.py \| 10 10 + 0 - 0 ! src/werkzeug/debug/shared/debugger.js \| 4 2 + 2 - 0 ! src/werkzeug/serving.py \| 3 3 + 0 - 0 ! 4 files changed, 45 insertions(+), 7 deletions(-)	restrict debugger trusted hosts Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios. The debugger UI uses the full `document.location` instead of only `document.location.pathname`. Either of these fixes on their own mitigates the reported vulnerability. (cherry picked from commit 71b69dfb7df3d912e66bab87fbb1f21f83504967)
CVE 2024 34069 2.patch \| (download)	src/werkzeug/debug/__init__.py \| 25 20 + 5 - 0 ! src/werkzeug/sansio/utils.py \| 2 1 + 1 - 0 ! 2 files changed, 21 insertions(+), 6 deletions(-)	only require trusted host for evalex (cherry picked from commit 890b6b62634fa61224222aee31081c61b054ff01)
CVE 2024 49767.patch \| (download)	src/werkzeug/formparser.py \| 11 11 + 0 - 0 ! src/werkzeug/sansio/multipart.py \| 2 2 + 0 - 0 ! tests/test_formparser.py \| 12 12 + 0 - 0 ! 3 files changed, 25 insertions(+)	apply max_form_memory_size another level up in the parser (cherry picked from commit 8760275afb72bd10b57d92cb4d52abf759b2f3a7)

1