Accepting request 1071237 from devel:languages:python

- update to 2.2.3 (bsc#1208283, CVE-2023-25577):
  * Ensure that URL rules using path converters will redirect
    with strict slashes when the trailing slash is missing.
  * Type signature for ``get_json`` specifies that return type
    is not optional when ``silent=False``.
  * ``parse_content_range_header`` returns ``None`` for a value
    like ``bytes */-1`` where the length is invalid, instead of
    raising an ``AssertionError``.
  * Address remaining ``ResourceWarning`` related to the socket
    used by ``run_simple``.
  * Remove ``prepare_socket``, which now happens when
    creating the server.
  * Update pre-existing headers for ``multipart/form-data``
    requests with the test client.
  * Fix handling of header extended parameters such that they
    are no longer quoted.
  * ``LimitedStream.read`` works correctly when wrapping a
    stream that may not return the requested size in one 
    ``read`` call.
  * A cookie header that starts with ``=`` is treated as an
    empty key and discarded, rather than stripping the leading ``==``.
  * Specify a maximum number of multipart parts, default 1000,
    after which a ``RequestEntityTooLarge`` exception is
    raised on parsing.  This mitigates a DoS attack where a
    larger number of form/file parts would result in disproportionate
    resource use.

OBS-URL: https://build.opensuse.org/request/show/1071237
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Werkzeug?expand=0&rev=40

Werkzeug-2.2.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7ea2d48322cc7c0f8b3a215ed73eabd7b5d75d0b50e31ab006286ccff9e00b8f
-size 844378

Werkzeug-2.2.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e1ccc9417d4da358b9de6f174e3ac094391ea1d4fbef2d667865d819dfd0afe
+size 845884

moved_root.patch

@@ -2,8 +2,10 @@
  tests/test_serving.py |   12 ++++++++----
  1 file changed, 8 insertions(+), 4 deletions(-)
 
---- a/tests/test_serving.py
+Index: Werkzeug-2.2.3/tests/test_serving.py
-+++ b/tests/test_serving.py
+===================================================================
+--- Werkzeug-2.2.3.orig/tests/test_serving.py
++++ Werkzeug-2.2.3/tests/test_serving.py
 @@ -10,6 +10,7 @@ from pathlib import Path
  
  import pytest
@@ -12,8 +14,8 @@
  from werkzeug import run_simple
  from werkzeug._reloader import _find_stat_paths
  from werkzeug._reloader import _find_watchdog_paths
-@@ -127,12 +128,15 @@ def test_windows_get_args_for_reloading(
+@@ -128,12 +129,15 @@ def test_windows_get_args_for_reloading(
- 
+ @pytest.mark.filterwarnings("ignore::pytest.PytestUnraisableExceptionWarning")
  @pytest.mark.parametrize("find", [_find_stat_paths, _find_watchdog_paths])
  def test_exclude_patterns(find):
 -    # Imported paths under sys.prefix will be included by default.

python-Werkzeug.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Mon Mar 13 18:48:22 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.2.3 (bsc#1208283, CVE-2023-25577):
+  * Ensure that URL rules using path converters will redirect
+    with strict slashes when the trailing slash is missing.
+  * Type signature for ``get_json`` specifies that return type
+    is not optional when ``silent=False``.
+  * ``parse_content_range_header`` returns ``None`` for a value
+    like ``bytes */-1`` where the length is invalid, instead of
+    raising an ``AssertionError``.
+  * Address remaining ``ResourceWarning`` related to the socket
+    used by ``run_simple``.
+  * Remove ``prepare_socket``, which now happens when
+    creating the server.
+  * Update pre-existing headers for ``multipart/form-data``
+    requests with the test client.
+  * Fix handling of header extended parameters such that they
+    are no longer quoted.
+  * ``LimitedStream.read`` works correctly when wrapping a
+    stream that may not return the requested size in one 
+    ``read`` call.
+  * A cookie header that starts with ``=`` is treated as an
+    empty key and discarded, rather than stripping the leading ``==``.
+  * Specify a maximum number of multipart parts, default 1000,
+    after which a ``RequestEntityTooLarge`` exception is
+    raised on parsing.  This mitigates a DoS attack where a
+    larger number of form/file parts would result in disproportionate
+    resource use.
+
 -------------------------------------------------------------------
 Tue Sep 13 17:13:05 UTC 2022 - Ben Greiner <code@bnavigator.de>
 

python-Werkzeug.spec

@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,7 +26,7 @@
 %endif
 
 Name:           python-Werkzeug%{psuffix}
-Version:        2.2.2
+Version:        2.2.3
 Release:        0
 Summary:        The Swiss Army knife of Python web development
 License:        BSD-3-Clause