| Summary: | python-werkzeug new security issue CVE-2016-10516 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, lewyssmith, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | python-werkzeug-0.11.3-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Possible Python script for this update | ||
|
Description
David Walser
2017-11-30 21:48:43 CET
David Walser
2017-11-30 21:48:48 CET
Whiteboard:
(none) =>
MGA5TOO Advisory: ======================== Updated python-werkzeug packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message (CVE-2016-10516). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NTI6ITUXQVZPXSLKMWUGXDORTZEC2CJY/ ======================== Updated packages in core/updates_testing: ======================== python-werkzeug-0.9.4-7.1.mga5 python3-werkzeug-0.9.4-7.1.mga5 python-werkzeug-0.11.3-1.1.mga6 python3-werkzeug-0.11.3-1.1.mga6 from SRPMS: python-werkzeug-0.9.4-7.1.mga5.src.rpm python-werkzeug-0.11.3-1.1.mga6.src.rpm Assignee:
mageia =>
qa-bugs Created attachment 9865 [details] Possible Python script for this update In case it can be used. Taken from: https://github.com/pallets/werkzeug/pull/1001 and commented "The exc and plaintext_cs variable, XSS has been the defense. But the plaintext didn't do that ... it make the debug page can be XSS". Re the attachment: http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/ puts it into context. Doubtless the whole lot could be put together by a devotee with time. ------------ Trying M5/64 No previous bugs on this... "The Swiss Army knife of Python web development" $ urpmq --whatrequires python-werkzeug | uniq openerp-server python-flask $ urpmq --whatrequires-recursive python-werkzeug | uniq docker-registry mitmproxy openerp-extras openerp-gap-analysis openerp-git openerp-google-api openerp-openeducat openerp-risk-management openerp-server python-flask None the wiser. BEFORE the update: python-werkzeug-0.9.4-7.mga5 python3-werkzeug-0.9.4-7.mga5 Well, running that code example alone did nothing: $ python cve-2016-10516.py $ python3 Desktop/cve-2016-10516.py so it probably is worthless. AFTER the 'clean' update: python-werkzeug-0.9.4-7.1.mga5 python3-werkzeug-0.9.4-7.1.mga5 I am going to OK just on this basis; and hope someone else can do better. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-64-OK Installed openerp-server, confirmed that without any setup systemctl start openerp-server.service starts the service. Installed the update, then restarted the openerp-server ok. Validating the update. Keywords:
(none) =>
validated_update Forgot to add, that was on m6 x86_64. Whiteboard:
MGA5TOO MGA5-64-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0040.html Resolution:
(none) =>
FIXED |