Bump werkzeug to 3.0.1 (#885)

Werkzeug >=2.0.0, <3.0.1 has a bug (in some cases, a security bug) that may result in excessive CPU usage and worker timeout when huge file (usually over 50MB) with specific layout is uploaded to MWDB. The issue is when uploaded file contents are meaningful/random at the beginning (contain CR/LF bytes) and then are extensively padded with zeroes. This is common file pattern for bloated malware samples and memory dumps, so it may highly affect performance or even cause a denial of service if MWDB is flooded with such file uploads. References: - https://www.cve.org/CVERecord?id=CVE-2023-46136 - pallets/werkzeug#2801
CERT-Polska · Oct 25, 2023 · 7c10613 · 7c10613
1 parent ab600c3
commit 7c10613
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-Werkzeug==2.3.3
+Werkzeug==3.0.1
 gunicorn==20.1.0
 alembic==1.4.2
 Flask==2.3.2
@@ -28,4 +28,4 @@ Flask-Limiter==2.1.3
 python-dateutil==2.8.2
 pyzipper==0.3.5
 pycryptodomex==3.16.0
-ssdeep==3.4
+ssdeep==3.4