fix(deps): update dependency werkzeug to v3 [security] #253
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
86fd0e8 to
19d025a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
328fd78 to
211d225
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
874aef5 to
8762c4a
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
f8fd773 to
1aaeb40
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
1aaeb40 to
539f05d
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
539f05d to
54dbef5
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
b5835f9 to
fc7d6c8
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
4 times, most recently
from
fd9c6f2 to
6b5b265
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
196d532 to
31c8d18
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
31c8d18 to
583177f
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
583177f to
4038058
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
7 times, most recently
from
6259d07 to
960bc8e
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
960bc8e to
e314900
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
4e964eb to
e7c7196
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
2 times, most recently
from
b71e17d to
26134df
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
3 times, most recently
from
edb3aae to
7b414b5
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
7b414b5 to
0fcb117
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
0fcb117 to
91b720e
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
whabanks
approved these changes
Jun 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.3.7->3.0.3Review
GitHub Vulnerability Alerts
CVE-2023-46136
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2024-34069
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
Configuration
📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.