Bug#943352: stretch-pu: package python-werkzeug/0.11.15+dfsg1-1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I would like to update python-werkezug in stretch to fix CVE-2019-14806,
see #940935. Uploaded to proposed-updates-new (0.11.15+dfsg1-1+deb9u1),
built and tested on stretch. Debdiff attached.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru python-werkzeug-0.11.15+dfsg1/debian/changelog python-werkzeug-0.11.15+dfsg1/debian/changelog
--- python-werkzeug-0.11.15+dfsg1/debian/changelog 2017-01-02 11:08:13.000000000 +0100
+++ python-werkzeug-0.11.15+dfsg1/debian/changelog 2019-10-23 18:08:38.000000000 +0200
@@ -1,3 +1,10 @@
+python-werkzeug (0.11.15+dfsg1-1+deb9u1) stretch; urgency=medium
+
+ * Unique debugger PIN in Docker containers
+ (Closes: #940935, CVE-2019-14806)
+
+ -- Ondřej Nový <onovy@debian.org> Wed, 23 Oct 2019 18:08:38 +0200
+
python-werkzeug (0.11.15+dfsg1-1) unstable; urgency=medium
* New upstream release
diff -Nru python-werkzeug-0.11.15+dfsg1/debian/patches/CVE-2019-14806.patch python-werkzeug-0.11.15+dfsg1/debian/patches/CVE-2019-14806.patch
--- python-werkzeug-0.11.15+dfsg1/debian/patches/CVE-2019-14806.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-werkzeug-0.11.15+dfsg1/debian/patches/CVE-2019-14806.patch 2019-10-23 17:41:39.000000000 +0200
@@ -0,0 +1,28 @@
+From 00bc43b1672e662e5e3b8cecd79e67fc968fa246 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Tue, 14 May 2019 13:43:22 -0700
+Subject: [PATCH] unique debugger pin in Docker containers
+Origin: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
+
+--- a/werkzeug/debug/__init__.py
++++ b/werkzeug/debug/__init__.py
+@@ -54,6 +54,19 @@
+ return rv
+
+ def _generate():
++ # docker containers share the same machine id, get the
++ # container id instead
++ try:
++ with open("/proc/self/cgroup") as f:
++ value = f.readline()
++ except IOError:
++ pass
++ else:
++ value = value.strip().partition("/docker/")[2]
++
++ if value:
++ return value
++
+ # Potential sources of secret information on linux. The machine-id
+ # is stable across boots, the boot id is not
+ for filename in '/etc/machine-id', '/proc/sys/kernel/random/boot_id':
diff -Nru python-werkzeug-0.11.15+dfsg1/debian/patches/series python-werkzeug-0.11.15+dfsg1/debian/patches/series
--- python-werkzeug-0.11.15+dfsg1/debian/patches/series 2017-01-02 11:03:52.000000000 +0100
+++ python-werkzeug-0.11.15+dfsg1/debian/patches/series 2019-10-23 18:02:19.000000000 +0200
@@ -1,2 +1,3 @@
drop_ubuntu_font.patch
0002-Use-local-copies-of-object.inv-for-building-document.patch
+CVE-2019-14806.patch
Reply to: