mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-12 03:24:08 +00:00
Code Issues Projects Releases Wiki Activity
Files
74f42273b4829a4adbb2356f5b441a6589d45d46
meta-openembedded/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
Soumya Sambu c59e8e9dbc python3-werkzeug: Fix CVE-2024-49767 
Werkzeug is a Web Server Gateway Interface web application library. Applications
using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug
prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications)
are vulnerable to a relatively simple but effective resource exhaustion (denial of
service) attack. A specifically crafted form submission request can cause the parser
to allocate and block 3 to 8 times the upload size in main memory. There is no upper
limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.
Werkzeug version 3.0.6 fixes this issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49767

Upstream-patch:
8760275afb

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-12-31 09:04:08 -05:00

46 lines
1.5 KiB
BlitzBasic
Raw Blame History

SUMMARY = "The Swiss Army knife of Python web development"
DESCRIPTION = "\
Werkzeug started as simple collection of various utilities for WSGI \
applications and has become one of the most advanced WSGI utility modules. \
It includes a powerful debugger, full featured request and response objects, \
HTTP utilities to handle entity tags, cache control headers, HTTP dates, \
cookie handling, file uploads, a powerful URL routing system and a bunch \
of community contributed addon modules."
HOMEPAGE = "http://werkzeug.pocoo.org/"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
PYPI_PACKAGE = "Werkzeug"
SRC_URI += "file://CVE-2023-25577.patch \
file://CVE-2023-23934.patch \
file://CVE-2024-34069-0001.patch \
file://CVE-2024-34069-0002.patch \
file://CVE-2024-49767.patch"
SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"
inherit pypi setuptools3
CLEANBROKEN = "1"
RDEPENDS:${PN} += " \
${PYTHON_PN}-datetime \
${PYTHON_PN}-difflib \
${PYTHON_PN}-email \
${PYTHON_PN}-html \
${PYTHON_PN}-io \
${PYTHON_PN}-json \
${PYTHON_PN}-logging \
${PYTHON_PN}-netclient \
${PYTHON_PN}-netserver \
${PYTHON_PN}-numbers \
${PYTHON_PN}-pkgutil \
${PYTHON_PN}-pprint \
${PYTHON_PN}-simplejson \
${PYTHON_PN}-threading \
${PYTHON_PN}-unixadmin \
${PYTHON_PN}-misc \
${PYTHON_PN}-profile \
"
Reference in New Issue View Git Blame Copy Permalink