Your message dated Sat, 13 Aug 2016 15:57:44 +0200
with message-id
<CAOO6c=wej3puei-khtbuofofo_jbcgbt4quuj9t1wszsmxx...@mail.gmail.com>
and subject line
has caused the Debian Bug report #824948,
regarding Memory exaustion vulnerability in built-in web server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
824948: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824948
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-werkzeug
Version: 0.11.9+dfsg1-1
Severity: normal
Hello,
thank you for maintaining werkzeug.
I have reported this upstream (https://github.com/pallets/werkzeug/issues/936)
and I think it's worth having also here: the built-in web server of
werkzeug has a remotely exploitable DoS vulnerability. Since it is only
intended to be used for development, fixing it is not a high priority.
Hopefully there is no code in Debian that exposes a Werkzeug built-in
server to the internet by default:
$ apt-cache rdepends python-werkzeug
python-werkzeug
Reverse Depends:
python-werkzeug-doc
python-django-extensions
tilestache
tilelite
python-werkzeug-doc
python-httpbin
python-pytest-localserver
python-moinmoin
klaus
python-flask
python-flaskext.wtf
python-aodh
python-designate
chaussette
python-ceilometer
$ apt-cache rdepends python3-werkzeug
python3-werkzeug
Reverse Depends:
python3-httpbin
python3-pytest-localserver
python3-flask
python3-flaskext.wtf
Enrico
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3-werkzeug depends on:
ii libjs-jquery 1.12.3-1
pn python3:any <none>
Versions of packages python3-werkzeug recommends:
ii python3 3.5.1-3
ii python3-openssl 16.0.0-1
ii python3-pyinotify 0.9.5-1
Versions of packages python3-werkzeug suggests:
ii ipython3 2.4.1-1
pn python-werkzeug-doc <none>
ii python3-lxml 3.6.0-1
ii python3-pkg-resources 20.10.1-1
-- no debconf information
--- End Message ---
--- Begin Message ---
>From upstream:
The Werkzeug server is already vulnerable to every imaginable kind of DoS.
That's not on purpose, but it keeps the code simple, so I guess it is at
least known by the author.
I'm going to close this. There is plenty more that is wrong with that
server. It's for development purposes only.
--
Best regards
Ondřej Nový
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
