Bug 33201

Summary: python-werkzeug new security issue CVE-2024-34069
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs, yvesbrungard
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: python-werkzeug-2.3.3-1.mga9.src.rpm CVE: CVE-2024-34069
Status comment:

Description Nicolas Salguero 2024-05-13 15:12:12 CEST 
SUSE has released an advisory on May 9:
https://lwn.net/Articles/973069/

For Cauldron, version 3.0.3 fixes the problem.

Mageia 9 is also affected.
Nicolas Salguero 2024-05-13 15:12:45 CEST

Status comment: (none) => Fixed upstream in 3.0.3 and patches available from upstream
CVE: (none) => CVE-2024-34069
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => python-werkzeug-3.0.2-1.mga10.src.rpm

Comment 1 Lewis Smith 2024-05-16 21:15:34 CEST 
This is the best I can fnd for a patch, but it is just to the SPEC file:
 https://build.opensuse.org/request/show/1172322
However, the same page makes reference to many 'changed' files; and clicking those buttons shows what look more like real patches.

Another update for the Python people.

Assignee: bugsquad => python

Comment 2 David GEIGER 2024-05-18 07:22:07 CEST 
Fixed for Cauldron!

CC: (none) => geiger.david68210
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 3 Nicolas Salguero 2024-05-31 10:11:22 CEST 
Ubuntu has issued an advisory on May 29:
https://ubuntu.com/security/notices/USN-6799-1

Source RPM: python-werkzeug-3.0.2-1.mga10.src.rpm => python-werkzeug-2.3.3-1.mga9.src.rpm
Status comment: Fixed upstream in 3.0.3 and patches available from upstream => Patches available from upstream and Ubuntu

Comment 4 papoteur 2024-06-23 22:06:16 CEST 
Submitting:
SRPMS:
python-werkzeug-3.0.3-1.mga9
RPMS:
python3-werkzeug-3.0.3-1.mga9.noarch

Assignee: python => qa-bugs
Status comment: Patches available from upstream and Ubuntu => (none)
CC: (none) => yvesbrungard

katnatek 2024-06-24 01:16:24 CEST

Keywords: (none) => advisory

Comment 5 katnatek 2024-06-24 01:29:04 CEST 
RH mageia 9 x86_64
 
LC_ALL=C urpmi python3-werkzeug

    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-werkzeug-2.3.3-1.mga9.noarch.rpm
installing python3-werkzeug-2.3.3-1.mga9.noarch.rpm from /var/cache/urpmi/rpms                                                      
Preparing...                     ##################################################################################################
      1/1: python3-werkzeug      ##################################################################################################

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing python3-werkzeug-3.0.3-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-werkzeug      ##################################################################################################
      1/1: removing python3-werkzeug-2.3.3-1.mga9.noarch
                                 ##################################################################################################

As in previous rounds give OK in base a clean install

Feel free of provide/suggest other test

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 6 papoteur 2024-06-24 07:45:34 CEST 
Installing python3-werkzeug-3.0.3 from testing
Running madb tests which open each page.
Got this:
tests/test_app.py: 11 warnings
  /usr/lib/python3.10/site-packages/flask/testing.py:118: DeprecationWarning: The '__version__' attribute is deprecated and will be removed in Werkzeug 3.1. Use feature detection or 'importlib.metadata.version("werkzeug")' instead.
    "HTTP_USER_AGENT": f"werkzeug/{werkzeug.__version__}",

This is just a warning of usage of werkzeug in Flask. I presume that newer version of Flask will fix that, but this does merit the update of Flask.
For me, this is OK.
Comment 7 Thomas Andrews 2024-06-24 14:03:14 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2024-06-24 21:05:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED