[Python-modules-team] Bug#824948: Memory exaustion vulnerability in built-in web server
Enrico Zini
enrico at debian.org
Sat May 21 17:39:45 UTC 2016
Package: python3-werkzeug
Version: 0.11.9+dfsg1-1
Severity: normal
Hello,
thank you for maintaining werkzeug.
I have reported this upstream (https://github.com/pallets/werkzeug/issues/936)
and I think it's worth having also here: the built-in web server of
werkzeug has a remotely exploitable DoS vulnerability. Since it is only
intended to be used for development, fixing it is not a high priority.
Hopefully there is no code in Debian that exposes a Werkzeug built-in
server to the internet by default:
$ apt-cache rdepends python-werkzeug
python-werkzeug
Reverse Depends:
python-werkzeug-doc
python-django-extensions
tilestache
tilelite
python-werkzeug-doc
python-httpbin
python-pytest-localserver
python-moinmoin
klaus
python-flask
python-flaskext.wtf
python-aodh
python-designate
chaussette
python-ceilometer
$ apt-cache rdepends python3-werkzeug
python3-werkzeug
Reverse Depends:
python3-httpbin
python3-pytest-localserver
python3-flask
python3-flaskext.wtf
Enrico
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3-werkzeug depends on:
ii libjs-jquery 1.12.3-1
pn python3:any <none>
Versions of packages python3-werkzeug recommends:
ii python3 3.5.1-3
ii python3-openssl 16.0.0-1
ii python3-pyinotify 0.9.5-1
Versions of packages python3-werkzeug suggests:
ii ipython3 2.4.1-1
pn python-werkzeug-doc <none>
ii python3-lxml 3.6.0-1
ii python3-pkg-resources 20.10.1-1
-- no debconf information
More information about the Python-modules-team
mailing list