-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency werkzeug to v3 [security] #253
Open
renovate
wants to merge
1
commit into
main
Choose a base branch
from
renovate/pypi-werkzeug-vulnerability
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
November 1, 2023 19:34
86fd0e8
to
19d025a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
November 8, 2023 21:11
328fd78
to
211d225
Compare
renovate
bot
changed the title
fix(deps): update dependency werkzeug to v3 [security]
fix(deps): update dependency werkzeug to v3 [security] - autoclosed
Nov 13, 2023
renovate
bot
changed the title
fix(deps): update dependency werkzeug to v3 [security] - autoclosed
fix(deps): update dependency werkzeug to v3 [security]
Nov 14, 2023
renovate
bot
changed the title
fix(deps): update dependency werkzeug to v3 [security]
fix(deps): update dependency werkzeug to v2.3.8 [security]
Nov 14, 2023
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
November 20, 2023 20:59
874aef5
to
8762c4a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
November 29, 2023 17:04
f8fd773
to
1aaeb40
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
December 20, 2023 17:41
1aaeb40
to
539f05d
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
January 3, 2024 19:51
539f05d
to
54dbef5
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
January 16, 2024 18:39
b5835f9
to
fc7d6c8
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
February 1, 2024 19:22
fd9c6f2
to
6b5b265
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
February 6, 2024 20:43
6b5b265
to
525e062
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
February 14, 2024 18:32
525e062
to
0db89b0
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
February 22, 2024 20:45
02ef51d
to
4e9f49a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
March 6, 2024 20:42
465bc3b
to
f616488
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
March 11, 2024 14:53
196d532
to
31c8d18
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
March 28, 2024 19:02
31c8d18
to
583177f
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
April 15, 2024 11:56
583177f
to
4038058
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
7 times, most recently
from
April 29, 2024 15:19
6259d07
to
960bc8e
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
May 1, 2024 18:24
960bc8e
to
e314900
Compare
renovate
bot
changed the title
fix(deps): update dependency werkzeug to v2.3.8 [security]
fix(deps): update dependency werkzeug to v3 [security]
May 6, 2024
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
May 9, 2024 19:31
4e964eb
to
e7c7196
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
May 21, 2024 17:31
b71e17d
to
26134df
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
May 29, 2024 14:15
26134df
to
9b4214a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
May 30, 2024 13:27
9b4214a
to
edb3aae
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.3.7
->3.0.3
Review
GitHub Vulnerability Alerts
CVE-2023-46136
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2024-34069
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
Configuration
📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.