Your message dated Mon, 01 Feb 2021 16:34:34 +0000 with message-id <e1l6c9q-000ciq...@fasolo.debian.org> and subject line Bug#980189: fixed in flask-security 4.0.0-1 has caused the Debian Bug report #980189, regarding flask-security: CVE-2021-21241 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 980189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980189 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: flask-security Version: 3.4.2-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/Flask-Middleware/flask-security/issues/421 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for flask-security. CVE-2021-21241[0]: | The Python "Flask-Security-Too" package is used for adding security | features to your Flask application. It is an is a independently | maintained version of Flask-Security based on the 3.0.0 version of | Flask-Security. In Flask-Security-Too from version 3.3.0 and before | version 3.4.5, the /login and /change endpoints can return the | authenticated user's authentication token in response to a GET | request. Since GET requests aren't protected with a CSRF token, this | could lead to a malicious 3rd party site acquiring the authentication | token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, | if you aren't using authentication tokens - you can set the | SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token | unusable. Admitelly the CVE description currently on MITRE is quite confusing reffering to Flask-Security-Too package. But the other references pointed out and reviewing the changes seem to apply to the original project as well (I might miss something here). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21241 [1] https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv [2] https://github.com/Flask-Middleware/flask-security/pull/422 [3] https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f [4] https://github.com/Flask-Middleware/flask-security/issues/421 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: flask-security Source-Version: 4.0.0-1 Done: Christoph Berg <m...@debian.org> We believe that the bug you reported is fixed in the latest version of flask-security, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 980...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Berg <m...@debian.org> (supplier of updated flask-security package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 01 Feb 2021 15:42:21 +0100 Source: flask-security Architecture: source Version: 4.0.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Christoph Berg <m...@debian.org> Closes: 980189 Changes: flask-security (4.0.0-1) unstable; urgency=medium . * Team upload. . [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse. . [ Ondřej Nový ] * d/control: Update Maintainer field with new Debian Python Team contact address. * d/control: Update Vcs-* fields with new Debian Python Team Salsa layout. . [ Christoph Berg ] * New upstream version 4.0.0. + Fixes /login and /change vulnerability. (Closes: 980189, CVE-2021-21241) Checksums-Sha1: 38a0940a39aabc21877741b6c55c3ca86aa5bde5 2420 flask-security_4.0.0-1.dsc 9909af684fc85923ff5a7298a9437b0dd0c78995 407928 flask-security_4.0.0.orig.tar.gz d4a2a75c7a2ce359053d3d37b3a4ff1970889bb5 3128 flask-security_4.0.0-1.debian.tar.xz Checksums-Sha256: 1c9567749276f72ece1b9f5683c55b827acf1d51337c26577030a5d30db99836 2420 flask-security_4.0.0-1.dsc 4aa0a076fe0faabf01017d727e81fce0800170ce1cbf01534d16549fa6464d87 407928 flask-security_4.0.0.orig.tar.gz 0aa14ba46c02ebfb3d9985d1f9d1f8155c4ee4f0b24ae3500d5b306797deb5c0 3128 flask-security_4.0.0-1.debian.tar.xz Files: 32a8989be73fdc9dafa822aaed4a9117 2420 python optional flask-security_4.0.0-1.dsc e0c43f4406beff47bb83da986e412b7e 407928 python optional flask-security_4.0.0.orig.tar.gz 48b4b717a32772ba4bf9b652fa414dac 3128 python optional flask-security_4.0.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmAYG7cACgkQTFprqxLS p66d/hAAo/G05nC8lz3kwrVc7ewmpt3e/pm3mp0ELpAMznWH1kiNQW/O+BSTi1Vt wQ7xlakM/liKt75z/vlQXFZmgL2uaFCi15efl1C5/ibPGTaNoPjcok5kRoimwMdr 6SdJQzfagc9YbpEe/7UR+sn+VoupT+ilacTru2PVzaxOBkVBgFIx+Oz00RLhOq9h Y344/ZA9t6qEAh8drklcHpmT8kX2JebuKuF8mrn0HrJ2eX9yEmMw4+wTT1kmX7D4 PBUdziBMVNGGqG+IJ0hR92oZOPJq7yD5Z1IATvUnqsoxysitUIvoBZlu5FnrEWRC OGmVM9rLy8jAfVJMKrj2V6tsN+pUv/aDd1rBFIJueKcSB8Sl/OrXX+LXhODtd6NC MbbjkuKhihH57ZYeidUvAATQgG6S3F5oJrc5dRsWB7aCjDcLDNNheb0KiPqBHOBD jdQTBvxTy9aMuQOtku3LClmgiDUe2iOOAHwu6frEi/pZzlGjLB8YNLljf2d+p3nD 3xRujWyhJYokGKIrb91hqL2FOVj89I1glFzme0jjEWSM5kiojfbr0R7Pc2eoKrVU R49148yWrGrKB1eSUtKsYCbAtmfcGUKUbBdCFAMvSIgZ/zyJk4tRpw3EzdAHBBfw IHp70V6FKZ3rv5Y5s1zfXcn8uqsF8X3yy0v7kEoV9XTSPlqQvmE= =SXM8 -----END PGP SIGNATURE-----
--- End Message ---
