Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency werkzeug to v3 [security] #2009

Merged
merged 2 commits into from
Jun 18, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 25, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Werkzeug (changelog) 2.3.7 -> 3.0.3 age adoption passing confidence

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

GitHub Vulnerability Alerts

CVE-2023-46136

Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.

This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.

CVE-2024-34069

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.


Configuration

📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Pull requests that update a dependency file Renovate labels Oct 25, 2023
@renovate
Copy link
Contributor Author

renovate bot commented Oct 25, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock
Updating dependencies
Resolving dependencies...


Because notifications-utils (52.2.2) @ git+https://github.com/cds-snc/[email protected] depends on both werkzeug (2.3.7) and werkzeug (2.3.7), werkzeug is required.
So, because notification-api depends on Werkzeug (3.0.3), version solving failed.

@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 8 times, most recently from ecb93ff to 0a43114 Compare November 8, 2023 16:24
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 0a43114 to 235ab14 Compare November 9, 2023 16:59
@renovate renovate bot changed the title fix(deps): update dependency werkzeug to v3 [security] fix(deps): update dependency werkzeug to v3 [security] - autoclosed Nov 14, 2023
@renovate renovate bot closed this Nov 14, 2023
@renovate renovate bot deleted the renovate/pypi-Werkzeug-vulnerability branch November 14, 2023 00:38
@renovate renovate bot changed the title fix(deps): update dependency werkzeug to v3 [security] - autoclosed fix(deps): update dependency werkzeug to v3 [security] Nov 14, 2023
@renovate renovate bot reopened this Nov 14, 2023
@renovate renovate bot restored the renovate/pypi-Werkzeug-vulnerability branch November 14, 2023 05:15
@renovate renovate bot changed the title fix(deps): update dependency werkzeug to v3 [security] fix(deps): update dependency werkzeug to v2.3.8 [security] Nov 14, 2023
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 11 times, most recently from 6593de0 to 0722467 Compare November 20, 2023 16:14
@renovate renovate bot changed the title fix(deps): update dependency werkzeug to v2.3.8 [security] fix(deps): update dependency werkzeug to v3 [security] May 6, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 4 times, most recently from 1b86282 to b15680c Compare May 9, 2024 15:42
Copy link
Contributor Author

renovate bot commented May 9, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock
Updating dependencies
Resolving dependencies...


Because notifications-utils (52.2.4) @ git+https://github.com/cds-snc/[email protected] depends on both werkzeug (2.3.7) and werkzeug (2.3.7), werkzeug is required.
So, because notification-api depends on Werkzeug (3.0.3), version solving failed.

@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 2 times, most recently from e15c006 to 8799c04 Compare May 13, 2024 19:17
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 7 times, most recently from 4d5c2cc to a067680 Compare May 28, 2024 14:51
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 5 times, most recently from edceb0a to bc6e075 Compare June 5, 2024 18:36
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 2 times, most recently from ca9eac4 to 634dee5 Compare June 10, 2024 16:36
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 634dee5 to 846e94a Compare June 12, 2024 15:32
Copy link
Contributor Author

renovate bot commented Jun 18, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@whabanks whabanks merged commit 0800b98 into main Jun 18, 2024
4 checks passed
@whabanks whabanks deleted the renovate/pypi-Werkzeug-vulnerability branch June 18, 2024 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file Renovate
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant