python3-werkzeug: Fix CVE-2024-49767

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-49767 Upstream-patch: 8760275afb Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-04-02 05:38:39 +00:00 · 2024-12-27 08:33:32 +00:00
parent c3deda05a7
commit c59e8e9dbc
2 changed files with 89 additions and 1 deletions
--- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
+++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
@@ -15,7 +15,8 @@ PYPI_PACKAGE = "Werkzeug"
 SRC_URI += "file://CVE-2023-25577.patch \
            file://CVE-2023-23934.patch \
            file://CVE-2024-34069-0001.patch \
-            file://CVE-2024-34069-0002.patch"
+            file://CVE-2024-34069-0002.patch \
+            file://CVE-2024-49767.patch"

 SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"