Bug 2264275 - CVE-2023-46136 python-werkzeug: high resource consumption leading to denial of service [epel-9]
Summary: CVE-2023-46136 python-werkzeug: high resource consumption leading to denial o...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-werkzeug
Version: epel9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Troy Dawson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2023-46136
TreeView+ depends on / blocked
 
Reported: 2024-02-14 20:44 UTC by Ken Dreyer (Red Hat)
Modified: 2024-02-14 20:50 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Package Sources python-werkzeug pull-request 17 0 None None None 2024-02-14 20:50:48 UTC

Description Ken Dreyer (Red Hat) 2024-02-14 20:44:14 UTC 
Description of problem:
EPEL 9 ships werkzeug 2.0.3, and this is vulnerable to CVE-2023-46136

https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw

Version-Release number of selected component (if applicable):
python-werkzeug-2.0.3-3.el9.1

How reproducible:
unknown

Steps to Reproduce:
unknown

Additional info:
dist-git has an (unbuilt) update to 2.2.1, but we need to update to 2.3.8 to resolve this.
Comment 1 Ken Dreyer (Red Hat) 2024-02-14 20:50:36 UTC 
https://src.fedoraproject.org/rpms/python-werkzeug/pull-request/17 updates to 2.3.8 and enables the unit tests.

I have built this but not tested it.
Note You need to log in before you can comment on or make changes to this bug.