Debian Patches

Status for python-werkzeug/2.2.2-3+deb12u1

Search:

Patch	Description	Author	Forwarded	Bugs	Origin	Last update
0003-don-t-strip-leading-when-parsing-cookie.patch	CVE-2023-23934: don't strip leading = when parsing cookie Applied-Upstream: 2.2.3 diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py index 4636647..f95207a 100644	David Lord <davidism@gmail.com>	no	debian	upstream, https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028	2023-04-21
0004-limit-the-maximum-number-of-multipart-form-parts.patch	CVE-2023-25577: limit the maximum number of multipart form parts Applied-Upstream: 2.2.3 diff --git a/docs/request_data.rst b/docs/request_data.rst index 83c6278..e55841e 100644	David Lord <davidism@gmail.com>	no	debian	upstream, https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1	2023-04-21
CVE-2023-46136.patch	Fix: slow multipart parsing for huge files with few CR/LF characters (cherry picked from commit b1916c0c083e0be1c9d887ee2f3d696922bfc5c1)	=?utf-8?q?Pawe=C5=82_Srokosz?= <pawel.srokosz@cert.pl>	no			2023-10-12
CVE-2024-34069-1.patch	restrict debugger trusted hosts Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios. The debugger UI uses the full `document.location` instead of only `document.location.pathname`. Either of these fixes on their own mitigates the reported vulnerability. (cherry picked from commit 71b69dfb7df3d912e66bab87fbb1f21f83504967)	David Lord <davidism@gmail.com>	no			2024-05-02
CVE-2024-34069-2.patch	only require trusted host for evalex (cherry picked from commit 890b6b62634fa61224222aee31081c61b054ff01)	David Lord <davidism@gmail.com>	no			2024-05-03
CVE-2024-49767.patch	apply max_form_memory_size another level up in the parser (cherry picked from commit 8760275afb72bd10b57d92cb4d52abf759b2f3a7)	David Lord <davidism@gmail.com>	no			2024-10-25
preserve-any-existing-PYTHONPATH-in-tests.patch	[PATCH] Preserve any existing PYTHONPATH in tests	Lumir Balhar <lbalhar@redhat.com>	no			2021-06-22
remove-test_exclude_patterns-test.patch	Remove test_exclude_patterns test Under the sbuild environment, the asert doesn't work and sys.prefix gets wrong. So I'm just removing this test.	Thomas Goirand <zigo@debian.org>	not-needed			2022-09-14

Showing 1 to 8 of 8 entries

All known versions for source package 'python-werkzeug'

3.1.3-2 (trixie, sid)
2.2.2-3+deb12u1 (bookworm)
2.0.2+dfsg1-3~bpo11+1 (bullseye-backports)
1.0.1+dfsg1-2+deb11u2 (bullseye-security)
1.0.1+dfsg1-2+deb11u1 (bullseye)

Links