An update for python-werkzeug is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1425 Final 1.0 1.0 2025-04-18 Initial 2025-04-18 2025-04-18 openEuler SA Tool V1.0 2025-04-18 python-werkzeug security update An update for python-werkzeug is now available for openEuler-22.03-LTS-SP4 *werkzeug* German noun: "tool". Etymology: *werk* ("work"), *zeug* ("stuff") Werkzeug is a comprehensive `WSGI`_ web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It includes: - An interactive debugger that allows inspecting stack traces and source code in the browser with an interactive interpreter for any frame in the stack. - A full-featured request object with objects to interact with headers, query args, form data, files, and cookies. - A response object that can wrap other WSGI applications and handle streaming data. - A routing system for matching URLs to endpoints and generating URLs for endpoints, with an extensible system for capturing variables from URLs. - HTTP utilities to handle entity tags, cache control, dates, user agents, cookies, files, and more. - A threaded WSGI server for use while developing applications locally. - A test client for simulating HTTP requests during testing without requiring running a server. Werkzeug doesn't enforce any dependencies. It is up to the developer to choose a template engine, database adapter, and even how to handle requests. It can be used to build all sorts of end user applications such as blogs, wikis, or bulletin boards. `Flask`_ wraps Werkzeug, using it to handle the details of WSGI while providing more structure and patterns for defining powerful applications. Security Fix(es): Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.(CVE-2024-49767) An update for python-werkzeug is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-werkzeug https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1425 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-49767 https://nvd.nist.gov/vuln/detail/CVE-2024-49767 openEuler-22.03-LTS-SP4 python-werkzeug-2.0.3-5.oe2203sp4.src.rpm python-werkzeug-help-2.0.3-5.oe2203sp4.noarch.rpm python3-werkzeug-2.0.3-5.oe2203sp4.noarch.rpm Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue. 2025-04-18 CVE-2024-49767 openEuler-22.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H python-werkzeug security update 2025-04-18 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1425