Debian Patches
Status for python-werkzeug/2.2.2-3+deb12u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| preserve-any-existing-PYTHONPATH-in-tests.patch | [PATCH] Preserve any existing PYTHONPATH in tests | Lumir Balhar <lbalhar@redhat.com> | no | 2021-06-22 | ||
| remove-test_exclude_patterns-test.patch | Remove test_exclude_patterns test Under the sbuild environment, the asert doesn't work and sys.prefix gets wrong. So I'm just removing this test. |
Thomas Goirand <zigo@debian.org> | not-needed | 2022-09-14 | ||
| 0003-don-t-strip-leading-when-parsing-cookie.patch | CVE-2023-23934: don't strip leading = when parsing cookie Applied-Upstream: 2.2.3 diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py index 4636647..f95207a 100644 |
David Lord <davidism@gmail.com> | no | debian | upstream, https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 | 2023-04-21 |
| 0004-limit-the-maximum-number-of-multipart-form-parts.patch | CVE-2023-25577: limit the maximum number of multipart form parts Applied-Upstream: 2.2.3 diff --git a/docs/request_data.rst b/docs/request_data.rst index 83c6278..e55841e 100644 |
David Lord <davidism@gmail.com> | no | debian | upstream, https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1 | 2023-04-21 |
| CVE-2023-46136.patch | Fix: slow multipart parsing for huge files with few CR/LF characters (cherry picked from commit b1916c0c083e0be1c9d887ee2f3d696922bfc5c1) |
=?utf-8?q?Pawe=C5=82_Srokosz?= <pawel.srokosz@cert.pl> | no | 2023-10-12 | ||
| CVE-2024-34069-1.patch | restrict debugger trusted hosts Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios. The debugger UI uses the full `document.location` instead of only `document.location.pathname`. Either of these fixes on their own mitigates the reported vulnerability. (cherry picked from commit 71b69dfb7df3d912e66bab87fbb1f21f83504967) |
David Lord <davidism@gmail.com> | no | 2024-05-02 | ||
| CVE-2024-34069-2.patch | only require trusted host for evalex (cherry picked from commit 890b6b62634fa61224222aee31081c61b054ff01) |
David Lord <davidism@gmail.com> | no | 2024-05-03 | ||
| CVE-2024-49767.patch | apply max_form_memory_size another level up in the parser (cherry picked from commit 8760275afb72bd10b57d92cb4d52abf759b2f3a7) |
David Lord <davidism@gmail.com> | no | 2024-10-25 |
All known versions for source package 'python-werkzeug'
- 3.1.3-2 (forky, trixie, sid)
- 2.2.2-3+deb12u1 (bookworm)