Fedora has issued an advisory today (November 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NTI6ITUXQVZPXSLKMWUGXDORTZEC2CJY/ The issue is fixed in 0.11.11. The upstream fix is linked from the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1512102 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Advisory: ======================== Updated python-werkzeug packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message (CVE-2016-10516). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NTI6ITUXQVZPXSLKMWUGXDORTZEC2CJY/ ======================== Updated packages in core/updates_testing: ======================== python-werkzeug-0.9.4-7.1.mga5 python3-werkzeug-0.9.4-7.1.mga5 python-werkzeug-0.11.3-1.1.mga6 python3-werkzeug-0.11.3-1.1.mga6 from SRPMS: python-werkzeug-0.9.4-7.1.mga5.src.rpm python-werkzeug-0.11.3-1.1.mga6.src.rpm
Assignee: mageia => qa-bugs
Created attachment 9865 [details] Possible Python script for this update In case it can be used. Taken from: https://github.com/pallets/werkzeug/pull/1001 and commented "The exc and plaintext_cs variable, XSS has been the defense. But the plaintext didn't do that ... it make the debug page can be XSS".
Re the attachment: http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/ puts it into context. Doubtless the whole lot could be put together by a devotee with time. ------------ Trying M5/64 No previous bugs on this... "The Swiss Army knife of Python web development" $ urpmq --whatrequires python-werkzeug | uniq openerp-server python-flask $ urpmq --whatrequires-recursive python-werkzeug | uniq docker-registry mitmproxy openerp-extras openerp-gap-analysis openerp-git openerp-google-api openerp-openeducat openerp-risk-management openerp-server python-flask None the wiser. BEFORE the update: python-werkzeug-0.9.4-7.mga5 python3-werkzeug-0.9.4-7.mga5 Well, running that code example alone did nothing: $ python cve-2016-10516.py $ python3 Desktop/cve-2016-10516.py so it probably is worthless. AFTER the 'clean' update: python-werkzeug-0.9.4-7.1.mga5 python3-werkzeug-0.9.4-7.1.mga5 I am going to OK just on this basis; and hope someone else can do better.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OKKeywords: (none) => advisoryCC: (none) => lewyssmith
Installed openerp-server, confirmed that without any setup systemctl start openerp-server.service starts the service. Installed the update, then restarted the openerp-server ok. Validating the update.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Forgot to add, that was on m6 x86_64.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0040.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED