Your message dated Fri, 10 May 2024 19:22:52 +0000
with message-id <[email protected]>
and subject line Bug#1069764: fixed in python-flask-cors 4.0.1-1
has caused the Debian Bug report #1069764,
regarding python-flask-cors: CVE-2024-1681
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1069764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069764
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-flask-cors
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for python-flask-cors.
CVE-2024-1681[0]:
| corydolphin/flask-cors is vulnerable to log injection when the log
| level is set to debug. An attacker can inject fake log entries into
| the log file by sending a specially crafted GET request containing a
| CRLF sequence in the request path. This vulnerability allows
| attackers to corrupt log files, potentially covering tracks of other
| attacks, confusing log post-processing tools, and forging log
| entries. The issue is due to improper output neutralization for
| logs.
https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644
https://github.com/corydolphin/flask-cors/issues/349
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-1681
https://www.cve.org/CVERecord?id=CVE-2024-1681
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-flask-cors
Source-Version: 4.0.1-1
Done: Carsten Schoenert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-flask-cors, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <[email protected]> (supplier of updated
python-flask-cors package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 May 2024 20:52:32 +0200
Source: python-flask-cors
Architecture: source
Version: 4.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Carsten Schoenert <[email protected]>
Closes: 1069764
Changes:
python-flask-cors (4.0.1-1) unstable; urgency=medium
.
* Team upload.
.
[ Alexandre Detiste ]
* remove dependency on old python3-six
.
[ Carsten Schoenert ]
* d/watch: Add compression=gz to opts
* New upstream version 4.0.1
Fixes CVE-2024-1681
(Closes: 1069764)
* Rebuild patch queue from patch-queue branch
Added patch:
upstream/tests-Use-importlib.metadata.version-flask.patch
Updated patches:
debian-hacks/Privacy-Remove-linking-to-external-resources.patch
debian-hacks/README-Link-to-internal-HTML-resource.patch
debian-hacks/docs-Use-local-inventory-for-Python3.patch
* d/control: Increase Standards-Version to 4.7.0
No further modifications needed.
* d/copyright: Update year data
* d/rules: Add target override_dh_clean
Clean up one more possible folder.
Checksums-Sha1:
0f9a9718b2f54d39792923d15d44fa460a258dd4 2397 python-flask-cors_4.0.1-1.dsc
48b1213a161ada3c65665cd58b5be7c4e7791ef2 31843
python-flask-cors_4.0.1.orig.tar.gz
0f5aeab918368ba2ddd6ddbee1c3bdf593b5dbd3 7408
python-flask-cors_4.0.1-1.debian.tar.xz
70cdd919c3947b80eebd112baedd017bd853aabe 8348
python-flask-cors_4.0.1-1_amd64.buildinfo
Checksums-Sha256:
e868b35fcaec93570a7c368188ac091e0ff554cb7969b6265bff4537bac10c58 2397
python-flask-cors_4.0.1-1.dsc
f2084e1bfe00464c98dcbfcca61f810d76bd0ef05828d2bc623cd64eddbe985a 31843
python-flask-cors_4.0.1.orig.tar.gz
09efba93c94a7d94a9e80275ab088bf3bf1521c49aeb9d4456c1ade198daee6d 7408
python-flask-cors_4.0.1-1.debian.tar.xz
dd0702fadfa5097ccaf1cd165bdb3cd8e5060db959b56f158824c227d6f5b184 8348
python-flask-cors_4.0.1-1_amd64.buildinfo
Files:
f47ecd438307dc6e294671786e14f7c4 2397 python optional
python-flask-cors_4.0.1-1.dsc
bf17b229d9b89628741e287f9dbe5357 31843 python optional
python-flask-cors_4.0.1.orig.tar.gz
755dd7c62f032484077093b4ecd2b2df 7408 python optional
python-flask-cors_4.0.1-1.debian.tar.xz
3f13abb2eca9b9cdf1bf0b4236722644 8348 python optional
python-flask-cors_4.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmY+bd0ACgkQgwFgFCUd
HbBqaRAArt7sn7qUSCzUDdRgWMP/aI1pXwEuWwTDLWaDHJsf27JSfQAnrWQIPIHM
VG9BdBFGK2yjjzBNaUTMdyZmC+p85raPs23QS+3BcpJ0ODWoZcQsfZaIh3noU+Nm
5oYQgP0VekNMulkB4imSiKmhuUNSZbK3oCKSc2RVokyIkVd5iHaHoMBmW8+VwPuV
925+toyh8/Yg9MxZYpe85bB8K7B0RcQsOBe/bxpwGFf6UWlZ7C9rrG/80zICuRbG
eyouhiA2UoctvkEETF3LFtR49exGJekKNAjn9Qp9xXYc14qJIlqkGln8erbvPJ39
pTRuOUhyvYZ9rDK9ctpHbQya15hA1P9SNyK66or15vmcbVz2kfoucYVJekngTDzs
9pDh/eh4d4zEZ7dFFtRq4upCdvm88gSLVyUqnZ5uwRNUhzUXEoHETIYTj9FL6QRg
tyog0AvWP0qnWNgyuc0UoT90T3Wg3HO/tWdRmaZ40i4bFuPua8B1ETvlx1voxMrn
T1uXedyJlFz5yG5pUiRr5+v39bArwY+RFVm/DNO7MMSiONi/GX6pVy0p66IwcNrf
pSHOMRqk10yEGwtjej9fjdZyteq5R6ZKIfS/Mn8kEpTFBDnbwAY4hGdmN8KdQwkC
DrFzAFTU9YVuyVBuyVMKUgboH7dr8fQ5IwPcqdRcDSOJZJjYvrw=
=XIAL
-----END PGP SIGNATURE-----
pgp0tbumasdAs.pgp
Description: PGP signature
--- End Message ---
