Package: python3-werkzeug Version: 0.11.9+dfsg1-1 Severity: normal Hello,
thank you for maintaining werkzeug. I have reported this upstream (https://github.com/pallets/werkzeug/issues/936) and I think it's worth having also here: the built-in web server of werkzeug has a remotely exploitable DoS vulnerability. Since it is only intended to be used for development, fixing it is not a high priority. Hopefully there is no code in Debian that exposes a Werkzeug built-in server to the internet by default: $ apt-cache rdepends python-werkzeug python-werkzeug Reverse Depends: python-werkzeug-doc python-django-extensions tilestache tilelite python-werkzeug-doc python-httpbin python-pytest-localserver python-moinmoin klaus python-flask python-flaskext.wtf python-aodh python-designate chaussette python-ceilometer $ apt-cache rdepends python3-werkzeug python3-werkzeug Reverse Depends: python3-httpbin python3-pytest-localserver python3-flask python3-flaskext.wtf Enrico -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python3-werkzeug depends on: ii libjs-jquery 1.12.3-1 pn python3:any <none> Versions of packages python3-werkzeug recommends: ii python3 3.5.1-3 ii python3-openssl 16.0.0-1 ii python3-pyinotify 0.9.5-1 Versions of packages python3-werkzeug suggests: ii ipython3 2.4.1-1 pn python-werkzeug-doc <none> ii python3-lxml 3.6.0-1 ii python3-pkg-resources 20.10.1-1 -- no debconf information