Package: python-werkzeug / 2.2.2-3+deb12u1
Metadata
Package | Version | Patches format |
---|---|---|
python-werkzeug | 2.2.2-3+deb12u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
preserve any existing PYTHONPATH in tests.patch | (download) |
tests/conftest.py |
10 8 + 2 - 0 ! |
[patch] preserve any existing pythonpath in tests |
remove test_exclude_patterns test.patch | (download) |
tests/test_serving.py |
10 0 + 10 - 0 ! |
remove test_exclude_patterns test Under the sbuild environment, the asert doesn't work and sys.prefix gets wrong. So I'm just removing this test. |
0003 don t strip leading when parsing cookie.patch | (download) |
src/werkzeug/_internal.py |
13 9 + 4 - 0 ! |
cve-2023-23934: don't strip leading = when parsing cookie |
0004 limit the maximum number of multipart form parts.patch | (download) |
docs/request_data.rst |
37 20 + 17 - 0 ! |
cve-2023-25577: limit the maximum number of multipart form parts |
CVE 2023 46136.patch | (download) |
src/werkzeug/sansio/multipart.py |
10 9 + 1 - 0 ! |
fix: slow multipart parsing for huge files with few cr/lf characters (cherry picked from commit b1916c0c083e0be1c9d887ee2f3d696922bfc5c1) |
CVE 2024 34069 1.patch | (download) |
docs/debug.rst |
35 30 + 5 - 0 ! |
restrict debugger trusted hosts Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios. The debugger UI uses the full `document.location` instead of only `document.location.pathname`. Either of these fixes on their own mitigates the reported vulnerability. (cherry picked from commit 71b69dfb7df3d912e66bab87fbb1f21f83504967) |
CVE 2024 34069 2.patch | (download) |
src/werkzeug/debug/__init__.py |
25 20 + 5 - 0 ! |
only require trusted host for evalex (cherry picked from commit 890b6b62634fa61224222aee31081c61b054ff01) |
CVE 2024 49767.patch | (download) |
src/werkzeug/formparser.py |
11 11 + 0 - 0 ! |
apply max_form_memory_size another level up in the parser (cherry picked from commit 8760275afb72bd10b57d92cb4d52abf759b2f3a7) |