Ubuntu alert USN-3463-1 (python-werkzeug)

[Moltke]

Hi everyone! Hope you're all having a nice life!
I just found this while I was checking this site which I use to visit regularly and was wondering whether  if this Ubuntu Alert USN-3463-1 Werkzeug vulnerability is something we should worry about and if so, has it been taken care of already?.

The security bulletin  says:
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

It was discovered that Werkzeug did not properly handle certain web scripts. A remote attacker could use this to inject arbitrary code via a field that contains an exception message.

Update instructions: The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS:
python-werkzeug          0.10.4+dfsg1-1ubuntu1.1
python3-werkzeug        0.10.4+dfsg1-1ubuntu1.1

Ubuntu 14.04 LTS: 
python-werkzeug          0.9.4+dfsg-1.1ubuntu2.1
python3-werkzeug        0.9.4+dfsg-1.1ubuntu2.1


Should we follow instructions as detailed on the bulletin and install the suggested package or are we having a LL update to resolve that?
Thanks in advance for your answers!

[Valtam]

If you look at our package list on our Distrowatch page, you'll see what packages we ship by default.

Sent from my Mobile phone using Tapatalk

[Moltke]

Hi [member=2]Jerry[/member].
The bulletin is dated on October 25, 2017.

[Valtam]

I did see that.

What I'm trying to get folks to do with regards to packages, is check the most current list here - https://distrowatch.com/table.php?distri....6#pkglist

and see if that particular package is included by us in the ISO.

Therefore, if the package doesn't exist, there is no action to take. If the package does exist, I will give simple instructions on what to do.

Folks also need to be aware these kind of advisories appear all the time, so there can be an over-reporting of these. It's best to stick to the most important eg. the Heartbleed bug for OpenSSL is a good example of what to report.

Cheers

[Moltke]

I did see that.

What I'm trying to get folks to do with regards to packages, is check the most current list here - https://distrowatch.com/table.php?distri....6#pkglist

and see if that particular package is included by us in the ISO.

Therefore, if the package doesn't exist, there is no action to take. If the package does exist, I will give simple instructions on what to do.

Hi [member=2]Jerry[/member]
Thanks for the clarifying. I just checked the distrowatch list you shared and the mentioned package isn't on it.

be aware these kind of advisories appear all the time...It's best to stick to the most important eg. the Heartbleed bug for OpenSSL is a good example of what to report.
Cheers

Thanks for this helpful tip and the good advice too.
Cheers!

[Valtam]

No problem