Your message dated Sun, 17 Nov 2024 14:50:50 +0000
with message-id <[email protected]>
and subject line Bug#1086063: fixed in quart 0.19.9-1
has caused the Debian Bug report #1086063,
regarding quart: CVE-2024-49767
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1086063: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086063
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: quart
Version: 0.19.6-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for quart.
CVE-2024-49767[0]:
| Werkzeug is a Web Server Gateway Interface web application library.
| Applications using `werkzeug.formparser.MultiPartParser`
| corresponding to a version of Werkzeug prior to 3.0.6 to parse
| `multipart/form-data` requests (e.g. all flask applications) are
| vulnerable to a relatively simple but effective resource exhaustion
| (denial of service) attack. A specifically crafted form submission
| request can cause the parser to allocate and block 3 to 8 times the
| upload size in main memory. There is no upper limit; a single upload
| at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.
| Werkzeug version 3.0.6 fixes this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-49767
https://www.cve.org/CVERecord?id=CVE-2024-49767
[1] https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
[2]
https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: quart
Source-Version: 0.19.9-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
quart, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated quart package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 17 Nov 2024 15:07:18 +0100
Source: quart
Architecture: source
Version: 0.19.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1086063
Changes:
quart (0.19.9-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-49767: Fix how `max_form_memory_size` is applied when parsing
large non-file fields (closes: #1086063).
Checksums-Sha1:
f9d7c16fe99f5e32b76acd4f2df03caf0f68c354 2652 quart_0.19.9-1.dsc
be1d9cd11ca777b4d36e1ad82d94491179e26b58 597400 quart_0.19.9.orig.tar.xz
9cb16ba28a5154dea95da07819d7e5c455022d1c 6388 quart_0.19.9-1.debian.tar.xz
Checksums-Sha256:
7b4271d8787a9d8e9b07ecac2b3755f019423844ebce06f3197704339c1f5fc8 2652
quart_0.19.9-1.dsc
327fd9749502f2897fc3b99b57677b74627199246587a93e7c1f74d896921521 597400
quart_0.19.9.orig.tar.xz
a0377d46e69c76b1d9c8c7ff06dc31fe821021df4027c28843bb3ce0193302bd 6388
quart_0.19.9-1.debian.tar.xz
Files:
0315891196343df9dcd3a39a1e951af6 2652 python optional quart_0.19.9-1.dsc
2feee5ede71f84a7f8b8ba39bb6e2a54 597400 python optional
quart_0.19.9.orig.tar.xz
aa8ffc1fe263c9ae17770e0a9050e924 6388 python optional
quart_0.19.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmc5+O0ACgkQOTWH2X2G
UAvxfg//WCLO2JTbbjlYpeCMeQ6LeWjgndF8akfrYXnus0Cvvf0Jft5r9zWz8EpW
aG0qAsA21RlOLxEraSifc6gwy7CjFzV4rFjLqxGyqdK3xKR8+HbrK0qimj55Q5Fy
YgDea+Za44a/GN847f4nJo8Ud931ytaR22jn8En/r6qdVvMM4OZynn4bQJhpdCJT
fIaq5f6YgJ9KWxCJ8autShpgeLNRW8dh/wiDXxBJGKphZjj3AJ53NMHeNGF+thLd
txdSFYQkctsl0nymDdcCCLn8T9h121iAYsAo9+wfYCNxW+gYtnvxPSzbZ9LKCSrx
GbAXVamZsf1Z442baMhhWRxsvG4hHr3hSvURAJEGkSsO2Nypuy96H3Ivc43Bjmpn
t+oo3GpDf4zSxQpd8JxWB0HflMhdC1gwx/Jirji+4T/AdvAO5TnQ1LS2aIahzikq
KEfHbWTywI7kyyxb48TOCFKhZCEkS9cxulITxjYA1fvP7JtJ8/0/OWyl0nIIE87J
cUhNEpDiubYcS8x8Oh/p1YRjAmStMsaVrxPwpOuAF8H9BppFMoC/n2LjE7k+4L1C
YDHfAaHiVLNxrqNamS6vpOhWJVnWFWWGQ390jYUlquKlr0ttB4TyL90sEjXcMD4L
SZbVeB72Gp0E3N07L2NSVXPpz8mPd18wvD3M35eg6sZ/rAWJJCk=
=Fc68
-----END PGP SIGNATURE-----
pgp7PtossZPK2.pgp
Description: PGP signature
--- End Message ---