[Python-modules-team] Bug#824948: Memory exaustion vulnerability in built-in web server

Enrico Zini enrico at debian.org
Sat May 21 17:39:45 UTC 2016


Package: python3-werkzeug
Version: 0.11.9+dfsg1-1
Severity: normal

Hello,

thank you for maintaining werkzeug.

I have reported this upstream (https://github.com/pallets/werkzeug/issues/936)
and I think it's worth having also here: the built-in web server of
werkzeug has a remotely exploitable DoS vulnerability. Since it is only
intended to be used for development, fixing it is not a high priority.

Hopefully there is no code in Debian that exposes a Werkzeug built-in
server to the internet by default:

        $ apt-cache rdepends python-werkzeug
        python-werkzeug
        Reverse Depends:
          python-werkzeug-doc
          python-django-extensions
          tilestache
          tilelite
          python-werkzeug-doc
          python-httpbin
          python-pytest-localserver
          python-moinmoin
          klaus
          python-flask
          python-flaskext.wtf
          python-aodh
          python-designate
          chaussette
          python-ceilometer
        $ apt-cache rdepends python3-werkzeug
        python3-werkzeug
        Reverse Depends:
          python3-httpbin
          python3-pytest-localserver
          python3-flask
          python3-flaskext.wtf


Enrico


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python3-werkzeug depends on:
ii  libjs-jquery  1.12.3-1
pn  python3:any   <none>

Versions of packages python3-werkzeug recommends:
ii  python3            3.5.1-3
ii  python3-openssl    16.0.0-1
ii  python3-pyinotify  0.9.5-1

Versions of packages python3-werkzeug suggests:
ii  ipython3               2.4.1-1
pn  python-werkzeug-doc    <none>
ii  python3-lxml           3.6.0-1
ii  python3-pkg-resources  20.10.1-1

-- no debconf information



More information about the Python-modules-team mailing list