Back to python-werkzeug PTS page

Accepted python-werkzeug 0.14.1+dfsg1-4+deb10u2 (source) into oldstable

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted python-werkzeug 0.14.1+dfsg1-4+deb10u2 (source) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 27 Feb 2023 17:50:28 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: python-werkzeug_0.14.1+dfsg1-4+deb10u2_source.changes
Debian-source: python-werkzeug
Debian-suite: oldstable
Debian-version: 0.14.1+dfsg1-4+deb10u2
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=HbC1wqqvEicZqJDHkFpe1Y7EFT0E0IrJpFi7X8yOqm0=; b=Yedh/benmfr15fy7e3iUJIT0RQ wRd/e19k2VdSCA+vypZZ76DxB6PGMi+az3S9RsEueXpWMO2D2m5+sEfWsl9b7JbPiSKPCpPRB2jkt loiuJ00uBjlLcWBf6cQYkiNqEYteDqk6N1ZieoAkZfvodEjTFJDsyof639kyjM4j0Bdjx/3PxJhlR R2AjLtch+cogouJIohyuyz2mVF0KRoKrxXPG1K2FBmc/NVUzcg1du2QIZIJX6mgiNx+KFb8VAGTle X58AhIqlL4wZAgJK0RISwhTplcS/4J2lHSje7W8oTlAvMmZJTib7NgEN7Dii2GA0oa6lzI1T9VZJt zlB8f5ng==;
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1pWhds-004MUK-FC@seger.debian.org>
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 27 Feb 2023 18:25:42 +0100
Source: python-werkzeug
Architecture: source
Version: 0.14.1+dfsg1-4+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Python Modules Packaging Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 1031370
Changes:
 python-werkzeug (0.14.1+dfsg1-4+deb10u2) buster-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2023-23934: Werkzeug will parse the cookie `=__Host-test=bad` as
     __Host-test=bad`. If a Werkzeug application is running next to a
     vulnerable or malicious subdomain which sets such a cookie using a
     vulnerable browser, the Werkzeug application will see the bad cookie
     value but the valid cookie key. Browsers may allow "nameless" cookies
     that look like `=value` instead of `key=value`. A vulnerable browser
     may allow a compromised application on an adjacent subdomain to
     exploit this to set a cookie like `=__Host-test=bad` for another
     subdomain. (Closes: #1031370)
   * CVE-2023-25577: Werkzeug's multipart form data parser will parse an
     unlimited number of parts, including file parts. Parts can be a small
     amount of bytes, but each requires CPU time to parse and may use more
     memory as Python data. If a request can be made to an endpoint that
     accesses `request.data`, `request.form`, `request.files`, or
     `request.get_data(parse_form_data=False)`, it can cause unexpectedly
     high resource usage. This allows an attacker to cause a denial of
     service by sending crafted multipart data to an endpoint that will
     parse it. (Closes: #1031370)
Checksums-Sha1:
 7906341721ee187d6483918419e54390f51947b1 2612 python-werkzeug_0.14.1+dfsg1-4+deb10u2.dsc
 c1e1525608134964708afafb6c559e5314be3fe9 1109469 python-werkzeug_0.14.1+dfsg1.orig.tar.gz
 07e29224d4cda04c1981284bec4359361cb04823 12844 python-werkzeug_0.14.1+dfsg1-4+deb10u2.debian.tar.xz
 ccea81d6799cf87b8187a430e37897e57f948213 9568 python-werkzeug_0.14.1+dfsg1-4+deb10u2_all.buildinfo
Checksums-Sha256:
 b5faec238393398bb36352e4bcf6d15c5d40b12926471667bc97fea6f64b6b91 2612 python-werkzeug_0.14.1+dfsg1-4+deb10u2.dsc
 45b0e29d86735cad912ed19ac137308d3dd91526ac78b5607f5384745519ab3e 1109469 python-werkzeug_0.14.1+dfsg1.orig.tar.gz
 8795f1aaa4c36f6a8267e4dae591761308f96a498b7387a22dcf1a7b9a92fd0e 12844 python-werkzeug_0.14.1+dfsg1-4+deb10u2.debian.tar.xz
 5a9d4280d14f80d7754eab83369194a315708fb1d8731103e0bd856a669ff4b8 9568 python-werkzeug_0.14.1+dfsg1-4+deb10u2_all.buildinfo
Files:
 24819a075cf21501e234edd2f6b342da 2612 python optional python-werkzeug_0.14.1+dfsg1-4+deb10u2.dsc
 99b2d44b992c5f7e718eb2e46c31b480 1109469 python optional python-werkzeug_0.14.1+dfsg1.orig.tar.gz
 93fd34c7621da014e9b416d18f357c3b 12844 python optional python-werkzeug_0.14.1+dfsg1-4+deb10u2.debian.tar.xz
 660d3908b25f27742b072d960b8ca725 9568 python optional python-werkzeug_0.14.1+dfsg1-4+deb10u2_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmP86XEACgkQDTl9HeUl
XjAilQ//VyVJMRPlpnyqOqvPSNpNk9J3rO9PHLcKbbsVrz5reOuDDYzn23/L0B8a
ZKL7wFAW2F3Tn3ZR0yZidfEyHQ7CggRTOoLid1aLrJZkX/4LAPVFJ79Jo5J2S2Nz
GtbrRyi2MG1+4SfSUU/+z247QiiJlqMooIVEgAdgDQB/e4x21t71QLqJ2WbAuSqE
rBR/XwHtiGv3jsY0t3F6mzrPgFQNkxwcHPxg+/yq1dtJsNUXdW00XUPKnj3Zcr2c
zXSdc7wZk6QSNpTQ1fHmx/+Um+scUfJXVnnfHcwFuBYEV7NY5z5gkbP3R1RTbsB7
gJzhyKWaQ6JuRDSYSOGA4Di916ZtytfAgF2Uq98b6bhRL7YYTQ40ydusv5A8yhIa
ZQhJzcmEeOx3sRPUfZh+tVOnTCFzs50yL6BlUwQaBV+L6OvvEKDvbnRM6xxW7WGI
p+SCXStMEKIBt0iP5a2713MBL9scykQDn/jCbOxc1HhwrvafuWsMvWivE6u1iiXV
x77HuTUTZvgBn+KRjIJrPriVfzdL7E/5fimmH7GgVCGTulLrx7t80R3dfO678Jko
1ksGbvYtKMRPOlAxvlqsI3BcUxw21zr9EO8//JuiHS8+HfiSEjNR+0Vy0cEZYCC5
ploAet/zWp2lDxWQ8TXXrHAcZS7lDwGafnCSDotd0Y4V2dLx2A8=
=gcam
-----END PGP SIGNATURE-----