From: Xu Huan <[email protected]> Changelog: ========== The development server does not set Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses. Response HTML for exceptions and redirects starts with <!doctype html> and <html lang=en>. Fix ability to set some cache_control attributes to False. Disable keep-alive connections in the development server, which are not supported sufficiently by Python’s http.server.
Signed-off-by: Xu Huan <[email protected]> Signed-off-by: Khem Raj <[email protected]> (cherry picked from commit 0704ebad0d31eec1737e0313b0f221085a9e8166) Rebased patches in Kirkstone. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python/python3-werkzeug/CVE-2023-23934.patch | 3 +-- .../python/python3-werkzeug/CVE-2023-25577.patch | 6 +++--- ...{python3-werkzeug_2.1.1.bb => python3-werkzeug_2.1.2.bb} | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) rename meta-python/recipes-devtools/python/{python3-werkzeug_2.1.1.bb => python3-werkzeug_2.1.2.bb} (94%) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch index 3a0f4324a1..69c3e3e56c 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch @@ -33,9 +33,8 @@ index 6e809ba..13ef75b 100644 resource use. +- A cookie header that starts with ``=`` is treated as an empty key and discarded, + rather than stripping the leading ``==``. -+ - Version 2.1.1 + Version 2.1.2 ------------- diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py index a8b3523..d6290ba 100644 diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch index 61551d8fca..351f939b78 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-25577.patch @@ -25,15 +25,15 @@ index a351d7c..6e809ba 100644 +++ b/CHANGES.rst @@ -1,5 +1,10 @@ .. currentmodule:: werkzeug - + +- Specify a maximum number of multipart parts, default 1000, after which a + ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS + attack where a larger number of form/file parts would result in disproportionate + resource use. + - Version 2.1.1 + Version 2.1.2 ------------- - + diff --git a/docs/request_data.rst b/docs/request_data.rst index 83c6278..e55841e 100644 --- a/docs/request_data.rst diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.2.bb similarity index 94% rename from meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb rename to meta-python/recipes-devtools/python/python3-werkzeug_2.1.2.bb index 0a18a48406..3c50d19173 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.2.bb @@ -18,7 +18,7 @@ SRC_URI += "file://CVE-2023-25577.patch \ file://CVE-2024-34069-0002.patch \ file://CVE-2024-49767.patch" -SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" +SRC_URI[sha256sum] = "1ce08e8093ed67d638d63879fd1ba3735817f7a80de3674d293f5984f25fb6e6" inherit pypi setuptools3
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123524): https://lists.openembedded.org/g/openembedded-devel/message/123524 Mute This Topic: https://lists.openembedded.org/mt/117294293/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
