Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to update python-werkezug in buster to fix CVE-2019-14806, see #940935. Uploaded to proposed-updates-new (0.14.1+dfsg1-4+deb10u1), built and tested on buster. Debdiff attached. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru python-werkzeug-0.14.1+dfsg1/debian/changelog python-werkzeug-0.14.1+dfsg1/debian/changelog --- python-werkzeug-0.14.1+dfsg1/debian/changelog 2018-12-21 21:02:47.000000000 +0100 +++ python-werkzeug-0.14.1+dfsg1/debian/changelog 2019-10-23 17:48:51.000000000 +0200 @@ -1,3 +1,10 @@ +python-werkzeug (0.14.1+dfsg1-4+deb10u1) buster; urgency=medium + + * Unique debugger PIN in Docker containers + (Closes: #940935, CVE-2019-14806) + + -- Ondřej Nový <on...@debian.org> Wed, 23 Oct 2019 17:48:51 +0200 + python-werkzeug (0.14.1+dfsg1-4) unstable; urgency=medium * Don't run xprocess tests without xprocess (Closes: #915776) diff -Nru python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch --- python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch 2019-10-23 17:41:39.000000000 +0200 @@ -0,0 +1,28 @@ +From 00bc43b1672e662e5e3b8cecd79e67fc968fa246 Mon Sep 17 00:00:00 2001 +From: David Lord <david...@gmail.com> +Date: Tue, 14 May 2019 13:43:22 -0700 +Subject: [PATCH] unique debugger pin in Docker containers +Origin: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246 + +--- a/werkzeug/debug/__init__.py ++++ b/werkzeug/debug/__init__.py +@@ -54,6 +54,19 @@ + return rv + + def _generate(): ++ # docker containers share the same machine id, get the ++ # container id instead ++ try: ++ with open("/proc/self/cgroup") as f: ++ value = f.readline() ++ except IOError: ++ pass ++ else: ++ value = value.strip().partition("/docker/")[2] ++ ++ if value: ++ return value ++ + # Potential sources of secret information on linux. The machine-id + # is stable across boots, the boot id is not + for filename in '/etc/machine-id', '/proc/sys/kernel/random/boot_id': diff -Nru python-werkzeug-0.14.1+dfsg1/debian/patches/series python-werkzeug-0.14.1+dfsg1/debian/patches/series --- python-werkzeug-0.14.1+dfsg1/debian/patches/series 2018-12-21 20:58:41.000000000 +0100 +++ python-werkzeug-0.14.1+dfsg1/debian/patches/series 2019-10-23 17:36:00.000000000 +0200 @@ -1,3 +1,4 @@ drop_ubuntu_font.patch 0002-Use-local-copies-of-object.inv-for-building-document.patch xprocess-skip.patch +CVE-2019-14806.patch