- update to 2.2.3 (bsc#1208283, CVE-2023-25577):

* Ensure that URL rules using path converters will redirect
    with strict slashes when the trailing slash is missing.
  * Type signature for ``get_json`` specifies that return type
    is not optional when ``silent=False``.
  * ``parse_content_range_header`` returns ``None`` for a value
    like ``bytes */-1`` where the length is invalid, instead of
    raising an ``AssertionError``.
  * Address remaining ``ResourceWarning`` related to the socket
    used by ``run_simple``.
  * Remove ``prepare_socket``, which now happens when
    creating the server.
  * Update pre-existing headers for ``multipart/form-data``
    requests with the test client.
  * Fix handling of header extended parameters such that they
    are no longer quoted.
  * ``LimitedStream.read`` works correctly when wrapping a
    stream that may not return the requested size in one 
    ``read`` call.
  * A cookie header that starts with ``=`` is treated as an
    empty key and discarded, rather than stripping the leading ``==``.
  * Specify a maximum number of multipart parts, default 1000,
    after which a ``RequestEntityTooLarge`` exception is
    raised on parsing.  This mitigates a DoS attack where a
    larger number of form/file parts would result in disproportionate
    resource use.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Werkzeug?expand=0&rev=76

Werkzeug-2.2.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7ea2d48322cc7c0f8b3a215ed73eabd7b5d75d0b50e31ab006286ccff9e00b8f
-size 844378

Werkzeug-2.2.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e1ccc9417d4da358b9de6f174e3ac094391ea1d4fbef2d667865d819dfd0afe
+size 845884

python-Werkzeug.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Mon Mar 13 18:48:22 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.2.3 (bsc#1208283, CVE-2023-25577):
+  * Ensure that URL rules using path converters will redirect
+    with strict slashes when the trailing slash is missing.
+  * Type signature for ``get_json`` specifies that return type
+    is not optional when ``silent=False``.
+  * ``parse_content_range_header`` returns ``None`` for a value
+    like ``bytes */-1`` where the length is invalid, instead of
+    raising an ``AssertionError``.
+  * Address remaining ``ResourceWarning`` related to the socket
+    used by ``run_simple``.
+  * Remove ``prepare_socket``, which now happens when
+    creating the server.
+  * Update pre-existing headers for ``multipart/form-data``
+    requests with the test client.
+  * Fix handling of header extended parameters such that they
+    are no longer quoted.
+  * ``LimitedStream.read`` works correctly when wrapping a
+    stream that may not return the requested size in one 
+    ``read`` call.
+  * A cookie header that starts with ``=`` is treated as an
+    empty key and discarded, rather than stripping the leading ``==``.
+  * Specify a maximum number of multipart parts, default 1000,
+    after which a ``RequestEntityTooLarge`` exception is
+    raised on parsing.  This mitigates a DoS attack where a
+    larger number of form/file parts would result in disproportionate
+    resource use.
+
 -------------------------------------------------------------------
 Tue Sep 13 17:13:05 UTC 2022 - Ben Greiner <code@bnavigator.de>
 

python-Werkzeug.spec

@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,7 +26,7 @@
 %endif
 
 Name:           python-Werkzeug%{psuffix}
-Version:        2.2.2
+Version:        2.2.3
 Release:        0
 Summary:        The Swiss Army knife of Python web development
 License:        BSD-3-Clause