31617 – python-werkzeug new security issues CVE-2023-23934 and CVE-2023-25577

Bug 31617 - python-werkzeug new security issues CVE-2023-23934 and CVE-2023-25577

Summary: python-werkzeug new security issues CVE-2023-23934 and CVE-2023-25577

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Python Stack Maintainers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-03-02 02:25 CET by David Walser
Modified:	2024-01-12 10:38 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	python-werkzeug-1.0.1-1.mga8.src.rpm
CVE:
Status comment:	Fixed upstream in 2.2.3

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-03-02 02:25:29 CET

Debian-LTS has issued an advisory on February 27:
https://www.debian.org/lts/security/2023/dla-3346

The issues are fixed upstream in 2.2.3:
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Mageia 8 is also affected.

David Walser 2023-03-02 02:25:42 CET

Status comment: (none) => Fixed upstream in 2.2.3
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-03-02 19:38:37 CET

This is nominally with NicolasL, who commited v2.2.2; CC'ing him, assigning to Pÿthon maintainers.

Assignee: bugsquad => python
CC: (none) => mageia

Comment 2 David Walser 2023-03-14 02:08:48 CET

Fedora has issued an advisory for this on March 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M2GTOE47WJ7BTBX2ENLG3VMBHVJQPH2D/

It looks like python-flask should be updated with this:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OPHK7NCUAEEG647ETCSFYCZP47H4D7XV/

Comment 3 David Walser 2023-03-14 02:36:38 CET

Fedora advisory that actually has CVE references:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VTNTWI7NG5ZWHOUWADRZKPL3DMYZNC3Z/

Comment 4 David Walser 2023-03-14 16:34:14 CET

Ubuntu has issued an advisory for this on March 13:
https://ubuntu.com/security/notices/USN-5948-1

Summary: python-werzkeug new security issues CVE-2023-23934 and CVE-2023-25577 => python-werkzeug new security issues CVE-2023-23934 and CVE-2023-25577

Comment 5 papoteur 2023-05-05 15:34:10 CEST

This is done since 2023-03-14 for cauldron by David G

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => yves.brungard_mageia

Comment 6 David Walser 2023-05-05 16:02:12 CEST

More specifically, python-werkzeug-2.2.3-1.mga9 was uploaded.

Source RPM: python-werkzeug-2.2.2-1.mga9.src.rpm => python-werkzeug-1.0.1-1.mga8.src.rpm

Comment 7 Nicolas Salguero 2024-01-12 10:38:00 CET

Mageia 8 EOL

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => nicolas.salguero

Note You need to log in before you can comment on or make changes to this bug.