Bug 2264275

Summary: CVE-2023-46136 python-werkzeug: high resource consumption leading to denial of service [epel-9]
Product: [Fedora] Fedora EPEL Reporter: Ken Dreyer (Red Hat) <kdreyer>
Component: python-werkzeugAssignee: Troy Dawson <tdawson>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel9CC: aurelien, epel-packagers-sig, fzatlouk, karlthered, python-packagers-sig, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2246310    

Description Ken Dreyer (Red Hat) 2024-02-14 20:44:14 UTC 
Description of problem:
EPEL 9 ships werkzeug 2.0.3, and this is vulnerable to CVE-2023-46136

https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw

Version-Release number of selected component (if applicable):
python-werkzeug-2.0.3-3.el9.1

How reproducible:
unknown

Steps to Reproduce:
unknown

Additional info:
dist-git has an (unbuilt) update to 2.2.1, but we need to update to 2.3.8 to resolve this.
Comment 1 Ken Dreyer (Red Hat) 2024-02-14 20:50:36 UTC 
https://src.fedoraproject.org/rpms/python-werkzeug/pull-request/17 updates to 2.3.8 and enables the unit tests.

I have built this but not tested it.