fix(deps): update dependency werkzeug to v3 [security] #253
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
86fd0e8
to
19d025a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
328fd78
to
211d225
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
874aef5
to
8762c4a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
f8fd773
to
1aaeb40
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
1aaeb40
to
539f05d
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
539f05d
to
54dbef5
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
b5835f9
to
fc7d6c8
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
fd9c6f2
to
6b5b265
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
6b5b265
to
525e062
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
525e062
to
0db89b0
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
02ef51d
to
4e9f49a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
465bc3b
to
f616488
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
196d532
to
31c8d18
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
31c8d18
to
583177f
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
583177f
to
4038058
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
7 times, most recently
from
6259d07
to
960bc8e
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
960bc8e
to
e314900
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
4e964eb
to
e7c7196
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
b71e17d
to
26134df
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
26134df
to
9b4214a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
9b4214a
to
edb3aae
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.3.7->3.0.3Review
GitHub Vulnerability Alerts
CVE-2023-46136
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2024-34069
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
Configuration
📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.