--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package python-werkzeug/0.14.1+dfsg1-4
- From: "Ondřej Nový" <novy@ondrej.org>
- Date: Wed, 23 Oct 2019 18:00:35 +0200
- Message-id: <157184643515.30165.16797175461624787597.reportbug@sid>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I would like to update python-werkezug in buster to fix CVE-2019-14806,
see #940935. Uploaded to proposed-updates-new (0.14.1+dfsg1-4+deb10u1),
built and tested on buster. Debdiff attached.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru python-werkzeug-0.14.1+dfsg1/debian/changelog python-werkzeug-0.14.1+dfsg1/debian/changelog
--- python-werkzeug-0.14.1+dfsg1/debian/changelog 2018-12-21 21:02:47.000000000 +0100
+++ python-werkzeug-0.14.1+dfsg1/debian/changelog 2019-10-23 17:48:51.000000000 +0200
@@ -1,3 +1,10 @@
+python-werkzeug (0.14.1+dfsg1-4+deb10u1) buster; urgency=medium
+
+ * Unique debugger PIN in Docker containers
+ (Closes: #940935, CVE-2019-14806)
+
+ -- Ondřej Nový <onovy@debian.org> Wed, 23 Oct 2019 17:48:51 +0200
+
python-werkzeug (0.14.1+dfsg1-4) unstable; urgency=medium
* Don't run xprocess tests without xprocess (Closes: #915776)
diff -Nru python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch
--- python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-werkzeug-0.14.1+dfsg1/debian/patches/CVE-2019-14806.patch 2019-10-23 17:41:39.000000000 +0200
@@ -0,0 +1,28 @@
+From 00bc43b1672e662e5e3b8cecd79e67fc968fa246 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Tue, 14 May 2019 13:43:22 -0700
+Subject: [PATCH] unique debugger pin in Docker containers
+Origin: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
+
+--- a/werkzeug/debug/__init__.py
++++ b/werkzeug/debug/__init__.py
+@@ -54,6 +54,19 @@
+ return rv
+
+ def _generate():
++ # docker containers share the same machine id, get the
++ # container id instead
++ try:
++ with open("/proc/self/cgroup") as f:
++ value = f.readline()
++ except IOError:
++ pass
++ else:
++ value = value.strip().partition("/docker/")[2]
++
++ if value:
++ return value
++
+ # Potential sources of secret information on linux. The machine-id
+ # is stable across boots, the boot id is not
+ for filename in '/etc/machine-id', '/proc/sys/kernel/random/boot_id':
diff -Nru python-werkzeug-0.14.1+dfsg1/debian/patches/series python-werkzeug-0.14.1+dfsg1/debian/patches/series
--- python-werkzeug-0.14.1+dfsg1/debian/patches/series 2018-12-21 20:58:41.000000000 +0100
+++ python-werkzeug-0.14.1+dfsg1/debian/patches/series 2019-10-23 17:36:00.000000000 +0200
@@ -1,3 +1,4 @@
drop_ubuntu_font.patch
0002-Use-local-copies-of-object.inv-for-building-document.patch
xprocess-skip.patch
+CVE-2019-14806.patch
--- End Message ---