SUSE has released an advisory on May 9: https://lwn.net/Articles/973069/ For Cauldron, version 3.0.3 fixes the problem. Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 3.0.3 and patches available from upstreamCVE: (none) => CVE-2024-34069Whiteboard: (none) => MGA9TOOSource RPM: (none) => python-werkzeug-3.0.2-1.mga10.src.rpm
This is the best I can fnd for a patch, but it is just to the SPEC file: https://build.opensuse.org/request/show/1172322 However, the same page makes reference to many 'changed' files; and clicking those buttons shows what look more like real patches. Another update for the Python people.
Assignee: bugsquad => python
Fixed for Cauldron!
CC: (none) => geiger.david68210Whiteboard: MGA9TOO => (none)Version: Cauldron => 9
Ubuntu has issued an advisory on May 29: https://ubuntu.com/security/notices/USN-6799-1
Source RPM: python-werkzeug-3.0.2-1.mga10.src.rpm => python-werkzeug-2.3.3-1.mga9.src.rpmStatus comment: Fixed upstream in 3.0.3 and patches available from upstream => Patches available from upstream and Ubuntu
Submitting: SRPMS: python-werkzeug-3.0.3-1.mga9 RPMS: python3-werkzeug-3.0.3-1.mga9.noarch
Assignee: python => qa-bugsStatus comment: Patches available from upstream and Ubuntu => (none)CC: (none) => yvesbrungard
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi python3-werkzeug https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-werkzeug-2.3.3-1.mga9.noarch.rpm installing python3-werkzeug-2.3.3-1.mga9.noarch.rpm from /var/cache/urpmi/rpms Preparing... ################################################################################################## 1/1: python3-werkzeug ################################################################################################## LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing python3-werkzeug-3.0.3-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: python3-werkzeug ################################################################################################## 1/1: removing python3-werkzeug-2.3.3-1.mga9.noarch ################################################################################################## As in previous rounds give OK in base a clean install Feel free of provide/suggest other test
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Installing python3-werkzeug-3.0.3 from testing Running madb tests which open each page. Got this: tests/test_app.py: 11 warnings /usr/lib/python3.10/site-packages/flask/testing.py:118: DeprecationWarning: The '__version__' attribute is deprecated and will be removed in Werkzeug 3.1. Use feature detection or 'importlib.metadata.version("werkzeug")' instead. "HTTP_USER_AGENT": f"werkzeug/{werkzeug.__version__}", This is just a warning of usage of werkzeug in Flask. I presume that newer version of Flask will fix that, but this does merit the update of Flask. For me, this is OK.
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0234.html
Status: NEW => RESOLVEDResolution: (none) => FIXED