[SECURITY] [DLA 4062-1] python-werkzeug security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4062-1] python-werkzeug security update
From: "Chris Lamb" <lamby@debian.org>
Date: Fri, 21 Feb 2025 16:13:07 +0000
Message-id: <[🔎] 174014240023.15022.3731229002755677066@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4062-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
February 21, 2025                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-werkzeug
Version        : 1.0.1+dfsg1-2+deb11u2
CVE ID         : CVE-2024-34069
Debian Bug     : 1070711

It was discovered that there was a potential remote code execution
vulnerability in python-werkzeug, a library used to create WSGI-based
web applications in Python.

This attack required the attacker to manipulate a developer into
interacting with a domain & subdomain they control as well as enter
the debugger PIN. But if successful, it would have allowed full
access to the debugger, even if the server was only running on
localhost. 

For Debian 11 bullseye, this problem has been fixed in version
1.0.1+dfsg1-2+deb11u2.

We recommend that you upgrade your python-werkzeug packages.

For the detailed security status of python-werkzeug please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-werkzeug

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAme4dz4ACgkQHpU+J9Qx
Hlg7Qw//bKz6GtIBfEt0IGMyBB8NfuoetoxecrNQ+e10K5yEKAKlRgse2VZfV+Kj
iHo3snME0uiRCTiY2gapwgTKH6OPLgHx5JUzmHV7hE1xF50oddcCGpfe0MjaKAGb
ieU6b3yf531rsCvrm8sYy09IXpv0OpXvRJxHK4PYqrsKLJ9j5HMX5OA9G5XhrCai
pJx26DXt5OErHFgeewbP+KykRj9v1X88PIZFaJNzL//d3k9LWL+k296zhawrMzGP
nvdvrzP7s4ZkVrDluXsE90z23uivSrRPp6TJxkSh95IjG0p1+Nu+JK7vZxlyjR+i
P6WXVKoED8Yrx0gq78sPUIDysuGMa/d10dlgiGw8D9AqyX5QZP7g11lCpTsQznwW
y/fPrr+JqYEyptUh9K3lOVnLhXhmo+58uAPcrQkb0ysKQqBfbcPDEG60eBRt5D4i
nbdFeNKWx11VksvsVGG98KbCLwDZ3TNX8wywXWLCjuemKpI5ER3E6rEd3jgju7Yh
lDvQ/0uwAqT4dOCPzUT//+QxW9fr24xFqO2kPMrJ2uw4SflLjvx4VxhSfq1Vnt0r
VsmBGHNSYo0CjGrSnefze6X5cXcxVCFPtmaY/uYIfcEq0f72WKHsRkemdKUBTbUl
IMGOKfydxVRNrWFSbmc+WawO/Pi7q6NhJjo9qX9YRUQ60WBsjxQ=
=qKPO
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4061-1] libtasn1-6 security update
Next by Date: [SECURITY] [DLA 4063-1] gnutls28 security update
Previous by thread: [SECURITY] [DLA 4061-1] libtasn1-6 security update
Next by thread: [SECURITY] [DLA 4063-1] gnutls28 security update
Index(es):
- Date
- Thread