Discussion:
Bug#1089079: bookworm-pu: package python-werkzeug/2.2.2-3+deb12u1
(too old to reply)
Sean Whitton
2024-12-05 04:10:01 UTC
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
User: ***@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-***@lists.debian.org, ***@t-online.de
Control: affects -1 + src:python-werkzeug

Dear release team,

Fix three DoS CVEs. Straightforward backports of upstream's commits, all of
which are already in unstable.

Upstream's test suite passes so I believe that no ordinary functionality is
impacted, although, upstream did not provide new tests to verify the fixes.

The changes regarding trusted hosts is only for the debugger, so wouldn't
inadvertedly impact anyone's production usage.

I have not uploaded, but pushed to salsa:python-team/packages/python-werkzeug#debian/bookworm.

Thanks.
--
Sean Whitton
Debian Bug Tracking System
2024-12-05 04:10:01 UTC
Permalink
Post by Sean Whitton
affects -1 + src:python-werkzeug
Bug #1089079 [release.debian.org] bookworm-pu: package python-werkzeug/2.2.2-3+deb12u1
Added indication that 1089079 affects src:python-werkzeug
--
1089079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089079
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2024-12-06 13:40:01 UTC
Permalink
tag -1 confirmed
Bug #1089079 [release.debian.org] bookworm-pu: package python-werkzeug/2.2.2-3+deb12u1
Added tag(s) confirmed.
--
1089079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089079
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-12-06 13:40:02 UTC
Permalink
Control: tag -1 confirmed

I prefer a little more detail in the changelog about *what* these are,
rather than bare CVE numbers. But I see descriptions in the headers so it's
not the end of the world. Please go ahead.

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Sean Whitton
2024-12-07 09:00:01 UTC
Permalink
Hello,
Post by Jonathan Wiltshire
Control: tag -1 confirmed
I prefer a little more detail in the changelog about *what* these are,
rather than bare CVE numbers. But I see descriptions in the headers so it's
not the end of the world. Please go ahead.
Thanks. I've added some CVE summaries to the changelog and uploaded.
--
Sean Whitton
Jonathan Wiltshire
2024-12-08 17:30:01 UTC
Permalink
package release.debian.org
tags 1089079 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: python-werkzeug
Version: 2.2.2-3+deb12u1

Explanation: fix denial of service when file upload begins with CR or LF [CVE-2023-46136]; fix arbitrary code execution on developer's machine via the debugger [CVE-2024-34069]; fix denial of service when processing multipart/form-data requests [CVE-2024-49767]
Debian Bug Tracking System
2024-12-08 17:30:01 UTC
Permalink
Post by Jonathan Wiltshire
package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
Post by Jonathan Wiltshire
tags 1089079 = bookworm pending
Bug #1089079 [release.debian.org] bookworm-pu: package python-werkzeug/2.2.2-3+deb12u1
Added tag(s) pending; removed tag(s) confirmed.
Post by Jonathan Wiltshire
thanks
Stopping processing here.

Please contact me if you need assistance.
--
1089079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089079
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2025-01-11 11:20:02 UTC
Permalink
Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <E1tWZGn-009jap-***@coccia.debian.org>
and subject line Close 1089079
has caused the Debian Bug report #1089079,
regarding bookworm-pu: package python-werkzeug/2.2.2-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1089079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089079
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...