home  bbs  files  messages ]

      ZZLI4418             linux.debian.changes             419 messages      

[ previous | next | reply ]

[ list messages | list forums ]

  Msg # 332 of 419 on ZZLI4418, Thursday 8-27-25, 6:00  
  From: DEBIAN FTP MASTERS  
  To: ALL  
  Subj: Accepted python-flask-cors 3.0.10-2+deb1  
 From: ftpmaster@ftp-master.debian.org 
  
 -----BEGIN PGP SIGNED MESSAGE----- 
 Hash: SHA512 
  
 Format: 1.8 
 Date: Mon, 30 Jun 2025 02:59:32 +0200 
 Source: python-flask-cors 
 Architecture: source 
 Version: 3.0.10-2+deb12u1 
 Distribution: bookworm 
 Urgency: medium 
 Maintainer: Debian Python Team  
 Changed-By: Daniel Leidert  
 Closes: 1069764 1100988 
 Changes: 
  python-flask-cors (3.0.10-2+deb12u1) bookworm; urgency=medium 
  . 
    * Non-maintainer upload by the Debian LTS team. 
    * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: 
 #1069764). 
      - An attacker can inject fake log entries into the log file by sending 
 a 
        specially crafted GET request containing a CRLF sequence in the 
 request 
        path, allowing them to corrupt log files, potentially covering 
 tracks of 
        other attacks, confusing log post-processing tools, and forging log 
        entries. 
    * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: 
 #1100988). 
      - The request path matching is case-insensitive. This results in a 
 mismatch 
        because paths in URLs are case-sensitive, but the regex matching 
 treats 
        them as case-insensitive. This misconfiguration can lead to 
 significant 
        security vulnerabilities, allowing unauthorized origins to access 
 paths 
        meant to be restricted, resulting in data exposure and potential 
 leaks. 
    * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add 
 to 
      fix CVE-2024-6839 (closes: #1100988). 
      - There is an improper regex path matching vulnerability. The plugin 
        prioritizes longer regex patterns over more specific ones when 
 matching 
        paths, which can lead to less restrictive CORS policies being 
 applied to 
        sensitive endpoints. This mismatch in regex pattern priority allows 
        unauthorized cross-origin access to sensitive data or functionality, 
        potentially exposing confidential information and increasing the 
 risk of 
        unauthorized actions by malicious actors. 
     d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: 
 #1100988). 
     - The request.path is passed through the unquote_plus function, which 
       converts the '+' character to a space ' '. This behavior leads to 
       incorrect path normalization, causing potential mismatches in CORS 
       configuration. As a result, endpoints may not be matched correctly to 
       their CORS settings, leading to unexpected CORS policy application. 
 This 
       can cause unauthorized cross-origin access or block valid requests, 
       creating security vulnerabilities and usability issues. 
 Checksums-Sha1: 
  1fd8e8578bdcbacc0c97b435d3b0b9b44d68a227 2476 python-flask-cors 
 3.0.10-2+deb12u1.dsc 
  243c6dcf3eaf6b83a10ca768dce19401ebc3a778 31012 python-flask-cor 
 _3.0.10.orig.tar.gz 
  505b4c0d801fa5229844b40a8f4a6b25a3187c35 11520 python-flask-cor 
 _3.0.10-2+deb12u1.debian.tar.xz 
  21ac87270b6b3dbd48830f1631466545e58cb4a1 9099 python-flask-cors 
 3.0.10-2+deb12u1_amd64.buildinfo 
 Checksums-Sha256: 
  b445ed1582a8299942233091936fcee0d4b5008362e52291d4a3dfe20b74b05c 2476 
 python-flask-cors_3.0.10-2+deb12u1.dsc 
  dec449f200ea3c76778e90bd39c5477eb3a3e7ccaef16ea6fb586a3a8ae71bc8 31012 
 python-flask-cors_3.0.10.orig.tar.gz 
  c424e676660d1589ffda4be0e5a2428b0a695511815faf9c1202a683d70eb3b4 11520 
 python-flask-cors_3.0.10-2+deb12u1.debian.tar.xz 
  93defa861a2163f3276fe0e21c41d963f3beea86b8a6a50b9e7e31c0792dca04 9099 
 python-flask-cors_3.0.10-2+deb12u1_amd64.buildinfo 
 Files: 
  6eab289cb45fb7ebee9b527067c7757f 2476 python optional python-fl 
 sk-cors_3.0.10-2+deb12u1.dsc 
  9059ec4c4ea1353439ed2ae1e86bd5d6 31012 python optional python-f 
 ask-cors_3.0.10.orig.tar.gz 
  de95fbf6270836871af81dfa2d4d3ba5 11520 python optional python-f 
 ask-cors_3.0.10-2+deb12u1.debian.tar.xz 
  b89d9bc47e12187d0ee8a48fc2dc2f11 9099 python optional python-fl 
 sk-cors_3.0.10-2+deb12u1_amd64.buildinfo 
  
 -----BEGIN PGP SIGNATURE----- 
  
 iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmiuNGYACgkQS80FZ8KW 
 0F0STA//fwX6xPXS6zekn9pLb8nrz91eYUSBNL74+CznWkBta1EAS40mzVbUrcod 
 B9bASw/8vdgPvaA+9V3il2n+554ThE1VzaSpPPU8p5519rrGvYUx/3zf8Cn1T5Yh 
 rtKDqv+GxZkj4ZPIc3h+rSgxUuchYXMjF/+G1r5jcfexuAjYnhCyqjX55CbkiFhp 
 UzW7Ht0mls2Zd3g49CKD7/hzfqDLRsKHInkqYauEtXybERrZdFVog4hPk5TroDiw 
 jp1Y9FONydoj/W1cMWZKCvXLrZk7wzDu8/ZZHAXnHuSe9BUzPh4MlsbOSr+SxhpX 
 TOfBvqre4uZPutnFcW6Biiy1QT+VmYmCjRuPzpInpPwbSyAX+2SS19XaAh2pBnKV 
 lBlOeRvxKzB+wRFTmo+qMENQt4L5HbxfpN+EdIwKmAcCmC8ATRbZOCWIAedztVwU 
 DJThejIpLK28n5QWifQe7rFrokxamdyu6ELSVAydMPdEhDRaqFFkzX/D7klZ6Uv7 
 d3rOt2i/sh/Zz6cxGFSqFhDs1jlJbk4sWRiqpPC6dD71hljnhn1IlULsnlIebuJC 
 0sDWfxEr4k/9ZJj2tBJn69gAUwXMdSCGBu/lSjlh6bJ1HbImHe/OJQ3vcB3Ix1JA 
 G7hZ0PUaDb5obzQZmo7GzQ5i5QSXy8rSPz+ZmEfTYL4EbyT/644= 
 =bi6h 
 -----END PGP SIGNATURE----- 
  
  
 --============== 04948388856485756=Content-Type: application/pgp-signature 
  
 -----BEGIN PGP SIGNATURE----- 
  
 iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaK9dTQAKCRCb9qggYcy5 
 IQ4OAQD3kXurSZ0LAAoehl0qU6WtMZr3NZVQK59bvlCiqYKGxwEA8zG5VlcZYbLw 
 3KRKP7raD7bSvhAXPKzyzKw/FBXTdgk=pcJ7 
 -----END PGP SIGNATURE----- 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2) 

[ list messages | list forums | previous | next | reply ]

search for:

328,098 visits
(c) 1994,  bbs@darkrealms.ca