Package: python-werkzeug / 2.2.2-3+deb12u1

Metadata

Package Version Patches format
python-werkzeug 2.2.2-3+deb12u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
preserve any existing PYTHONPATH in tests.patch | (download)

tests/conftest.py | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 [patch] preserve any existing pythonpath in tests


remove test_exclude_patterns test.patch | (download)

tests/test_serving.py | 10 0 + 10 - 0 !
1 file changed, 10 deletions(-)

 remove test_exclude_patterns test
 Under the sbuild environment, the asert doesn't work and sys.prefix gets
 wrong. So I'm just removing this test.
0003 don t strip leading when parsing cookie.patch | (download)

src/werkzeug/_internal.py | 13 9 + 4 - 0 !
src/werkzeug/sansio/http.py | 4 0 + 4 - 0 !
tests/test_http.py | 4 3 + 1 - 0 !
3 files changed, 12 insertions(+), 9 deletions(-)

 cve-2023-23934: don't strip leading = when parsing cookie
0004 limit the maximum number of multipart form parts.patch | (download)

docs/request_data.rst | 37 20 + 17 - 0 !
src/werkzeug/formparser.py | 12 11 + 1 - 0 !
src/werkzeug/sansio/multipart.py | 8 8 + 0 - 0 !
src/werkzeug/wrappers/request.py | 8 8 + 0 - 0 !
tests/test_formparser.py | 9 9 + 0 - 0 !
5 files changed, 56 insertions(+), 18 deletions(-)

 cve-2023-25577: limit the maximum number of multipart form parts
CVE 2023 46136.patch | (download)

src/werkzeug/sansio/multipart.py | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 fix: slow multipart parsing for huge files with few cr/lf characters

(cherry picked from commit b1916c0c083e0be1c9d887ee2f3d696922bfc5c1)

CVE 2024 34069 1.patch | (download)

docs/debug.rst | 35 30 + 5 - 0 !
src/werkzeug/debug/__init__.py | 10 10 + 0 - 0 !
src/werkzeug/debug/shared/debugger.js | 4 2 + 2 - 0 !
src/werkzeug/serving.py | 3 3 + 0 - 0 !
4 files changed, 45 insertions(+), 7 deletions(-)

 restrict debugger trusted hosts

Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios.

The debugger UI uses the full `document.location` instead of only `document.location.pathname`.

Either of these fixes on their own mitigates the reported vulnerability.

(cherry picked from commit 71b69dfb7df3d912e66bab87fbb1f21f83504967)

CVE 2024 34069 2.patch | (download)

src/werkzeug/debug/__init__.py | 25 20 + 5 - 0 !
src/werkzeug/sansio/utils.py | 2 1 + 1 - 0 !
2 files changed, 21 insertions(+), 6 deletions(-)

 only require trusted host for evalex

(cherry picked from commit 890b6b62634fa61224222aee31081c61b054ff01)

CVE 2024 49767.patch | (download)

src/werkzeug/formparser.py | 11 11 + 0 - 0 !
src/werkzeug/sansio/multipart.py | 2 2 + 0 - 0 !
tests/test_formparser.py | 12 12 + 0 - 0 !
3 files changed, 25 insertions(+)

 apply max_form_memory_size another level up in the parser

(cherry picked from commit 8760275afb72bd10b57d92cb4d52abf759b2f3a7)