Описание
Security update for python-Werkzeug
This update for python-Werkzeug fixes the following issues:
- CVE-2023-46136: Fixed a potential denial of service via large multipart file uploads (bsc#1216581).
Список пакетов
SUSE Linux Enterprise Module for Python 3 15 SP4
python311-Werkzeug-2.3.6-150400.6.6.1
SUSE Linux Enterprise Module for Python 3 15 SP5
python311-Werkzeug-2.3.6-150400.6.6.1
openSUSE Leap 15.4
python311-Werkzeug-2.3.6-150400.6.6.1
openSUSE Leap 15.5
python311-Werkzeug-2.3.6-150400.6.6.1
Ссылки
- Link for SUSE-SU-2023:4288-1
- E-Mail link for SUSE-SU-2023:4288-1
- SUSE Security Ratings
- SUSE Bug 1216581
- SUSE CVE CVE-2023-46136 page
Описание
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
Затронутые продукты
SUSE Linux Enterprise Module for Python 3 15 SP4:python311-Werkzeug-2.3.6-150400.6.6.1
SUSE Linux Enterprise Module for Python 3 15 SP5:python311-Werkzeug-2.3.6-150400.6.6.1
openSUSE Leap 15.4:python311-Werkzeug-2.3.6-150400.6.6.1
openSUSE Leap 15.5:python311-Werkzeug-2.3.6-150400.6.6.1
Ссылки
- CVE-2023-46136
- SUSE Bug 1216581