-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 27 Feb 2023 18:25:42 +0100 Source: python-werkzeug Architecture: source Version: 0.14.1+dfsg1-4+deb10u2 Distribution: buster-security Urgency: high Maintainer: Python Modules Packaging Team <python-modules-team@lists.alioth.debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Closes: 1031370 Changes: python-werkzeug (0.14.1+dfsg1-4+deb10u2) buster-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2023-23934: Werkzeug will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. (Closes: #1031370) * CVE-2023-25577: Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. (Closes: #1031370) Checksums-Sha1: 7906341721ee187d6483918419e54390f51947b1 2612 python-werkzeug_0.14.1+dfsg1-4+deb10u2.dsc c1e1525608134964708afafb6c559e5314be3fe9 1109469 python-werkzeug_0.14.1+dfsg1.orig.tar.gz 07e29224d4cda04c1981284bec4359361cb04823 12844 python-werkzeug_0.14.1+dfsg1-4+deb10u2.debian.tar.xz ccea81d6799cf87b8187a430e37897e57f948213 9568 python-werkzeug_0.14.1+dfsg1-4+deb10u2_all.buildinfo Checksums-Sha256: b5faec238393398bb36352e4bcf6d15c5d40b12926471667bc97fea6f64b6b91 2612 python-werkzeug_0.14.1+dfsg1-4+deb10u2.dsc 45b0e29d86735cad912ed19ac137308d3dd91526ac78b5607f5384745519ab3e 1109469 python-werkzeug_0.14.1+dfsg1.orig.tar.gz 8795f1aaa4c36f6a8267e4dae591761308f96a498b7387a22dcf1a7b9a92fd0e 12844 python-werkzeug_0.14.1+dfsg1-4+deb10u2.debian.tar.xz 5a9d4280d14f80d7754eab83369194a315708fb1d8731103e0bd856a669ff4b8 9568 python-werkzeug_0.14.1+dfsg1-4+deb10u2_all.buildinfo Files: 24819a075cf21501e234edd2f6b342da 2612 python optional python-werkzeug_0.14.1+dfsg1-4+deb10u2.dsc 99b2d44b992c5f7e718eb2e46c31b480 1109469 python optional python-werkzeug_0.14.1+dfsg1.orig.tar.gz 93fd34c7621da014e9b416d18f357c3b 12844 python optional python-werkzeug_0.14.1+dfsg1-4+deb10u2.debian.tar.xz 660d3908b25f27742b072d960b8ca725 9568 python optional python-werkzeug_0.14.1+dfsg1-4+deb10u2_all.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmP86XEACgkQDTl9HeUl XjAilQ//VyVJMRPlpnyqOqvPSNpNk9J3rO9PHLcKbbsVrz5reOuDDYzn23/L0B8a ZKL7wFAW2F3Tn3ZR0yZidfEyHQ7CggRTOoLid1aLrJZkX/4LAPVFJ79Jo5J2S2Nz GtbrRyi2MG1+4SfSUU/+z247QiiJlqMooIVEgAdgDQB/e4x21t71QLqJ2WbAuSqE rBR/XwHtiGv3jsY0t3F6mzrPgFQNkxwcHPxg+/yq1dtJsNUXdW00XUPKnj3Zcr2c zXSdc7wZk6QSNpTQ1fHmx/+Um+scUfJXVnnfHcwFuBYEV7NY5z5gkbP3R1RTbsB7 gJzhyKWaQ6JuRDSYSOGA4Di916ZtytfAgF2Uq98b6bhRL7YYTQ40ydusv5A8yhIa ZQhJzcmEeOx3sRPUfZh+tVOnTCFzs50yL6BlUwQaBV+L6OvvEKDvbnRM6xxW7WGI p+SCXStMEKIBt0iP5a2713MBL9scykQDn/jCbOxc1HhwrvafuWsMvWivE6u1iiXV x77HuTUTZvgBn+KRjIJrPriVfzdL7E/5fimmH7GgVCGTulLrx7t80R3dfO678Jko 1ksGbvYtKMRPOlAxvlqsI3BcUxw21zr9EO8//JuiHS8+HfiSEjNR+0Vy0cEZYCC5 ploAet/zWp2lDxWQ8TXXrHAcZS7lDwGafnCSDotd0Y4V2dLx2A8= =gcam -----END PGP SIGNATURE-----