Hi Bastian, On Wed, Oct 14, 2020 at 05:39:00PM +0200, Salvatore Bonaccorso wrote: > Hi Bastian, > > On Tue, Oct 13, 2020 at 11:36:40PM +0200, Bastian Germann wrote: > > Hi Salvatore, > > > > Thanks for your hints. > > > > Am 10.10.20 um 23:02 schrieb Salvatore Bonaccorso: > > > Hi Bastian, > > > > > > [Please do send such requests always to team@s.d.o, dev-ref gives as > > > well some further hints at > > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs] > > > > > > On Thu, Oct 08, 2020 at 04:25:55PM +0200, Bastian Germann wrote: > > >> On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso > > >> <car...@debian.org> wrote: > > >>> The following vulnerability was published for python-flask-cors. > > >>> > > >>> CVE-2020-25032[0]: > > >>> | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) > > >>> | before 3.0.9. It allows ../ directory traversal to access private > > >>> | resources because resource matching does not ensure that pathnames are > > >>> | in a canonical format. > > >>> > > >>> > > >>> If you fix the vulnerability please also make sure to include the > > >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > >>> > > >>> For further information see: > > >>> > > >>> [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 > > >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 > > >>> [1] > > >>> https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 > > >> > > >> I have prepared a buster-security release at > > >> > > >> https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2 > > > > > > As for the update, please do send always as a debdiff from a built > > > (and tested) package (this request is similarly to what stable release > > > managers would expect for point release updates, it helps us as well > > > to archive discussion and debdiffs to review). > > > > The debdiff is enclosed. Also available at: > > https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-1+deb10u1 > > > > > > But I can give already a first feedback: debian/changelog uses 3.0.7-2 > > > as version. Even though 3.0.7-2 might never have been seen in the > > > archive, please do use 3.0.7-1+deb10u1 instead following the usual > > > convention. While at it use urgency=high (for consistency in security > > > updates). > > > > > > For the bug closer I think you will need to use "Closes: #969362)". > > > > I applied all suggestions. > > > > > Furthermore: what kind of testing did the update recieve, were you > > > able to test the update in production environments, are there any > > > problems spotted? I'm asking in particular as the modfied tests seem > > > to pass ok as well without the patch (but I only quickly gave it a > > > test from the git repository, might be something else strange here). > > > > I ran the built package on buster but did not try to confirm that the > > security issue is closed as claimed by upstream. No problems spotted. > > Ack thanks for confirming. I have uploadd the package to > security-master and we will release DSA soon when time permits.
DSA 4775-1 has been released now for it. > I think it's okay to not have patched as well the example (wher the > call was fixed accordingly including /api/ in the target URL, anybody > searching for examples will probably look online anyway). > > > >> The new upstream release is waiting in the master branch to be published > > >> in sid. > > > > > > Ok, although not required, if you have that already ok to be uploaded > > > I would say to go ahead with the unstable upload and have the fixes > > > exposed there already. > > > > I cannot upload because I am not a DD. It would be nice if someone could > > sponsor the new version. It also closes a FTBFS, which got me interested > > in the package in the first place. > > Can you ask anybody in the team to do that? This still would be needed. Regards, Salvatore