https://bugzilla.redhat.com/show_bug.cgi?id=2264275
Bug ID: 2264275 Summary: CVE-2023-46136 python-werkzeug: high resource consumption leading to denial of service [epel-9] Product: Fedora EPEL Version: epel9 Status: NEW Component: python-werkzeug Assignee: tdawson@redhat.com Reporter: kdreyer@redhat.com QA Contact: extras-qa@fedoraproject.org CC: aurelien@bompard.org, epel-packagers-sig@lists.fedoraproject.org, fzatlouk@redhat.com, karlthered@gmail.com, python-packagers-sig@lists.fedoraproject.org, tdawson@redhat.com Target Milestone: --- Classification: Fedora
Description of problem: EPEL 9 ships werkzeug 2.0.3, and this is vulnerable to CVE-2023-46136
https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
Version-Release number of selected component (if applicable): python-werkzeug-2.0.3-3.el9.1
How reproducible: unknown
Steps to Reproduce: unknown
Additional info: dist-git has an (unbuilt) update to 2.2.1, but we need to update to 2.3.8 to resolve this.
https://bugzilla.redhat.com/show_bug.cgi?id=2264275
Ken Dreyer (Red Hat) kdreyer@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2246310 (CVE-2023-46136)
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2246310 [Bug 2246310] CVE-2023-46136 python-werkzeug: high resource consumption leading to denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=2264275
--- Comment #1 from Ken Dreyer (Red Hat) kdreyer@redhat.com --- https://src.fedoraproject.org/rpms/python-werkzeug/pull-request/17 updates to 2.3.8 and enables the unit tests.
I have built this but not tested it.
https://bugzilla.redhat.com/show_bug.cgi?id=2264275
Ken Dreyer (Red Hat) kdreyer@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Fedora Package Sources | |python-werkzeug/pull-reques | |t/17
epel-packagers-sig@lists.fedoraproject.org