Mageia 9 MGASA-2024-0351 Moderate: python-werkzeug DoS Fix
mageia
November 9, 2024
Werkzeug is a Web Server Gateway Interface web application library
Summary
Werkzeug is a Web Server Gateway Interface web application library.
Applications using `werkzeug.formparser.MultiPartParser` corresponding
to a version of Werkzeug prior to 3.0.6 to parsing `multipart/form-data`
requests (e.g. all flask applications) are vulnerable to a relatively
simple but effective resource exhaustion (denial of service) attack. A
specifically crafted form submission request can cause the parser to
allocate and block 3 to 8 times the upload size in main memory. There is
no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in
less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
References
- https://bugs.mageia.org/show_bug.cgi?id=33732
- https://ubuntu.com/security/notices/USN-7093-1
- https://www.cve.org/CVERecord?id=CVE-2024-49767
Resolution
SRPMS
- 9/core/python-werkzeug-3.0.6-1.mga9
PREVIOUS
NEXT
Publication date: 09 Nov 2024
URL: https://advisories.mageia.org/MGASA-2024-0351.html
Type: security
CVE: CVE-2024-49767
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!