Linux Lite Forums

General => Security & Bug Fixes => Topic started by: Moltke on October 26, 2017, 11:58:58 PM

Title: Ubuntu alert USN-3463-1 (python-werkzeug)
Post by: Moltke on October 26, 2017, 11:58:58 PM
Hi everyone! Hope you're all having a nice life! :)
I just found this while I was checking this site (https://lwn.net) which I use to visit regularly and was wondering whether  if this Ubuntu Alert USN-3463-1 Werkzeug vulnerability is something we should worry about and if so, has it been taken care of already?.

The security bulletin  says:
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

It was discovered that Werkzeug did not properly handle certain web scripts. A remote attacker could use this to inject arbitrary code via a field that contains an exception message.

Update instructions: The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS:
 python-werkzeug          0.10.4+dfsg1-1ubuntu1.1
 python3-werkzeug        0.10.4+dfsg1-1ubuntu1.1

Ubuntu 14.04 LTS:   
python-werkzeug          0.9.4+dfsg-1.1ubuntu2.1
python3-werkzeug        0.9.4+dfsg-1.1ubuntu2.1


Should we follow instructions as detailed on the bulletin and install the suggested package or are we having a LL update to resolve that?
Thanks in advance for your answers! :)
Title: Re: Ubuntu alert USN-3463-1 (python-werkzeug)
Post by: Jerry on October 27, 2017, 03:08:21 AM
If you look at our package list on our Distrowatch page, you'll see what packages we ship by default.

Sent from my Mobile phone using Tapatalk

Title: Re: Ubuntu alert USN-3463-1 (python-werkzeug)
Post by: Moltke on October 27, 2017, 05:46:59 AM
Hi @Jerry.
The bulletin is dated on October 25, 2017.

(https://i.imgur.com/oiVokf9.png)
Title: Re: Ubuntu alert USN-3463-1 (python-werkzeug)
Post by: Jerry on October 27, 2017, 07:19:19 AM
I did see that.

What I'm trying to get folks to do with regards to packages, is check the most current list here - https://distrowatch.com/table.php?distribution=lite&pkglist=true&version=3.6#pkglist

and see if that particular package is included by us in the ISO.

Therefore, if the package doesn't exist, there is no action to take. If the package does exist, I will give simple instructions on what to do.

Folks also need to be aware these kind of advisories appear all the time, so there can be an over-reporting of these. It's best to stick to the most important eg. the Heartbleed bug for OpenSSL is a good example of what to report.

Cheers :)
Title: Re: Ubuntu alert USN-3463-1 (python-werkzeug)
Post by: Moltke on October 27, 2017, 05:36:42 PM
I did see that.

What I'm trying to get folks to do with regards to packages, is check the most current list here - https://distrowatch.com/table.php?distribution=lite&pkglist=true&version=3.6#pkglist

and see if that particular package is included by us in the ISO.

Therefore, if the package doesn't exist, there is no action to take. If the package does exist, I will give simple instructions on what to do.


Hi @Jerry
Thanks for the clarifying. I just checked the distrowatch list you shared and the mentioned package isn't on it.

Quote
be aware these kind of advisories appear all the time...It's best to stick to the most important eg. the Heartbleed bug for OpenSSL is a good example of what to report.
Cheers :)

Thanks for this helpful tip and the good advice too.
Cheers! :)
Title: Re: Ubuntu alert USN-3463-1 (python-werkzeug)
Post by: Jerry on October 27, 2017, 09:42:10 PM
No problem :)