Re: [Health-dev] HMIS running on outdated werkzeug in production?

health-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Health-dev] HMIS running on outdated werkzeug in production?

From:	Luis Falcon
Subject:	Re: [Health-dev] HMIS running on outdated werkzeug in production?
Date:	Thu, 31 Mar 2022 16:50:53 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1

Hi there!


On 3/31/22 15:26, Gerald Wiese wrote:

Hey,

this is about the version of werkzeug.
What about the documentation saying not to use werkzeug in production?Is this neglectable if putting a reverse proxy in front anyway or isthis actually a problem and uWSGI or something should be put betweenreverse proxy and application?


Trytond kernel depends heavily on werkzeug... just doing a simple grep

14:from werkzeug.security import safe_join
8:from werkzeug.wrappers import Response
9:from werkzeug.exceptions import (
13:from werkzeug.exceptions import abort
14:from werkzeug.wrappers import Response
14:from werkzeug.wrappers import Request as _Request, Response
15:from werkzeug.http import wsgi_to_bytes, bytes_to_wsgi
16:from werkzeug.datastructures import Authorization
17:from werkzeug.exceptions import abort, HTTPException
10:from werkzeug.wrappers import Response
11:from werkzeug.exceptions import (
7:from werkzeug.exceptions import abort
13:from werkzeug.exceptions import abort
14:from werkzeug.utils import redirect
15:from werkzeug.wrappers import Response
16:from werkzeug.wrappers import Response
17:from werkzeug.routing import Map, Rule, BaseConverter
18:from werkzeug.exceptions import abort, HTTPException, InternalServerError
20:    from werkzeug.middleware.proxy_fix import ProxyFix
27:    from werkzeug.contrib.fixers import ProxyFix as NumProxyFix
29:    from werkzeug.security import safe_join
33:    from werkzeug.middleware.shared_data import SharedDataMiddleware
35:    from werkzeug.wsgi import SharedDataMiddleware
7:from werkzeug.wrappers import Response
8:from werkzeug.test import Client
8:from werkzeug.test import Client
9:from werkzeug.wrappers import BaseResponse
6:    from werkzeug.utils import cached_property
18:from werkzeug.utils import redirect
19:from werkzeug.wrappers import Response
20:from werkzeug.exceptions import (

So eliminating it at this point would be challenging. The idea on LTSversions is to focus on stability. Basically if it runs well, we'll waituntil the next GH stable release to upgrade the Tryton kernel.

That said, at GNU Health we take security very seriously, and if thereis a known security bug in the werkzeug version used with Trytond 6.x atwe will patch the kernel, as we have done in the past.



Let us know your thoughts

Bests,

--
Dr. Luis Falcon, MD, MSc
President, GNU Solidario
Advancing Social Medicine
www.gnusolidario.org

[Prev in Thread]

Current Thread

[Next in Thread]

[Health-dev] HMIS running on outdated werkzeug in production?, Gerald Wiese, 2022/03/31
- Re: [Health-dev] HMIS running on outdated werkzeug in production?, Dr. Axel Braun, 2022/03/31
  - Re: [Health-dev] HMIS running on outdated werkzeug in production?, Gerald Wiese, 2022/03/31
    - Re: [Health-dev] HMIS running on outdated werkzeug in production?, Mathias Behrle, 2022/03/31
    - Re: [Health-dev] HMIS running on outdated werkzeug in production?, Luis Falcon <=
  - Re: [Health-dev] HMIS running on outdated werkzeug in production?, Mathias Behrle, 2022/03/31

Prev by Date: Re: [Health-dev] HMIS running on outdated werkzeug in production?
Previous by thread: Re: [Health-dev] HMIS running on outdated werkzeug in production?
Next by thread: Re: [Health-dev] HMIS running on outdated werkzeug in production?
Index(es):
- Date
- Thread