USN-5948-1: Werkzeug vulnerabilities
13 March 2023
Several security issues were fixed in Werkzeug.
Releases
Packages
- python-werkzeug - collection of utilities for WSGI applications (Python 2.x)
Details
It was discovered that Werkzeug did not properly handle the parsing of
nameless cookies. A remote attacker could possibly use this issue to
shadow other cookies. (CVE-2023-23934)
It was discovered that Werkzeug could be made to process unlimited number
of multipart form data parts. A remote attacker could possibly use this
issue to cause Werkzeug to consume resources, leading to a denial of
service. (CVE-2023-25577)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.10
Ubuntu 22.04
Ubuntu 20.04
Ubuntu 18.04
Ubuntu 16.04
-
python3-werkzeug
-
0.10.4+dfsg1-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
python-werkzeug
-
0.10.4+dfsg1-1ubuntu1.2+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5948-2: python-werkzeug, python-werkzeug-doc, python3-werkzeug