From b7ab23179d01d442802721f2100e0409aa17e32a Mon Sep 17 00:00:00 2001 From: Xu Huan Date: Fri, 16 Jan 2026 08:38:08 +0100 Subject: [PATCH] python3-werkzeug: upgrade 2.1.1 -> 2.1.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changelog: ========== The development server does not set Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses. Response HTML for exceptions and redirects starts with and . Fix ability to set some cache_control attributes to False. Disable keep-alive connections in the development server, which are not supported sufficiently by Python’s http.server. Signed-off-by: Xu Huan Signed-off-by: Khem Raj (cherry picked from commit 0704ebad0d31eec1737e0313b0f221085a9e8166) Rebased patches in Kirkstone. Signed-off-by: Gyorgy Sarvari --- .../python/python3-werkzeug/CVE-2023-23934.patch | 5 ++--- .../python/python3-werkzeug/CVE-2023-25577.patch | 6 +++--- ...{python3-werkzeug_2.1.1.bb => python3-werkzeug_2.1.2.bb} | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-) rename meta-python/recipes-devtools/python/{python3-werkzeug_2.1.1.bb => python3-werkzeug_2.1.2.bb} (94%) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch index 3a0f4324a1..268a29b368 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch @@ -27,15 +27,14 @@ diff --git a/CHANGES.rst b/CHANGES.rst index 6e809ba..13ef75b 100644 --- a/CHANGES.rst +++ b/CHANGES.rst -@@ -4,6 +4,9 @@ +@@ -4,6 +4,8 @@ ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS attack where a larger number of form/file parts would result in disproportionate resource use. +- A cookie header that starts with ``=`` is treated as an empty key and discarded, + rather than stripping the leading ``==``. -+ - Version 2.1.1 + Version 2.1.2 ------------- diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py index a8b3523..d6290ba 100644 diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch index 61551d8fca..351f939b78 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch @@ -25,15 +25,15 @@ index a351d7c..6e809ba 100644 +++ b/CHANGES.rst @@ -1,5 +1,10 @@ .. currentmodule:: werkzeug - + +- Specify a maximum number of multipart parts, default 1000, after which a + ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS + attack where a larger number of form/file parts would result in disproportionate + resource use. + - Version 2.1.1 + Version 2.1.2 ------------- - + diff --git a/docs/request_data.rst b/docs/request_data.rst index 83c6278..e55841e 100644 --- a/docs/request_data.rst diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.2.bb similarity index 94% rename from meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb rename to meta-python/recipes-devtools/python/python3-werkzeug_2.1.2.bb index 0a18a48406..3c50d19173 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.2.bb @@ -18,7 +18,7 @@ SRC_URI += "file://CVE-2023-25577.patch \ file://CVE-2024-34069-0002.patch \ file://CVE-2024-49767.patch" -SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" +SRC_URI[sha256sum] = "1ce08e8093ed67d638d63879fd1ba3735817f7a80de3674d293f5984f25fb6e6" inherit pypi setuptools3