An update for python-werkzeug is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1999 Final 1.0 1.0 2025-08-15 Initial 2025-08-15 2025-08-15 openEuler SA Tool V1.0 2025-08-15 python-werkzeug security update An update for python-werkzeug is now available for openEuler-24.03-LTS A comprehensive WSGI web application library Security Fix(es): Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.(CVE-2023-46136) An update for python-werkzeug is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-werkzeug https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1999 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-46136 https://nvd.nist.gov/vuln/detail/CVE-2023-46136 openEuler-24.03-LTS python-werkzeug-help-2.2.3-4.oe2403.noarch.rpm python3-werkzeug-2.2.3-4.oe2403.noarch.rpm python-werkzeug-2.2.3-4.oe2403.src.rpm Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1. 2025-08-15 CVE-2023-46136 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H python-werkzeug security update 2025-08-15 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1999