mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-30 09:21:24 +00:00
Code Issues Projects Releases Wiki Activity
Files
766027e83e1c97befd991dc683fd34328eb4892f
meta-openembedded/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
Narpat Mali bdad2a789e python3-werkzeug: fix for CVE-2023-23934 
Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-06-11 11:43:33 -04:00

43 lines
1.3 KiB
BlitzBasic
Raw Blame History

SUMMARY = "The Swiss Army knife of Python web development"
DESCRIPTION = "\
Werkzeug started as simple collection of various utilities for WSGI \
applications and has become one of the most advanced WSGI utility modules. \
It includes a powerful debugger, full featured request and response objects, \
HTTP utilities to handle entity tags, cache control headers, HTTP dates, \
cookie handling, file uploads, a powerful URL routing system and a bunch \
of community contributed addon modules."
HOMEPAGE = "http://werkzeug.pocoo.org/"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
PYPI_PACKAGE = "Werkzeug"
SRC_URI += "file://CVE-2023-25577.patch \
file://CVE-2023-23934.patch"
SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"
inherit pypi setuptools3
CLEANBROKEN = "1"
RDEPENDS:${PN} += " \
${PYTHON_PN}-datetime \
${PYTHON_PN}-difflib \
${PYTHON_PN}-email \
${PYTHON_PN}-html \
${PYTHON_PN}-io \
${PYTHON_PN}-json \
${PYTHON_PN}-logging \
${PYTHON_PN}-netclient \
${PYTHON_PN}-netserver \
${PYTHON_PN}-numbers \
${PYTHON_PN}-pkgutil \
${PYTHON_PN}-pprint \
${PYTHON_PN}-simplejson \
${PYTHON_PN}-threading \
${PYTHON_PN}-unixadmin \
${PYTHON_PN}-misc \
${PYTHON_PN}-profile \
"
Reference in New Issue View Git Blame Copy Permalink