-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Jun 2025 02:59:32 +0200 Source: python-flask-cors Binary: python3-flask-cors Architecture: all Version: 3.0.10-2+deb12u1 Distribution: bookworm Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) Changed-By: Daniel Leidert Description: python3-flask-cors - Flask extension for handling CORS (Python 3) Closes: 1069764 1100988 Changes: python-flask-cors (3.0.10-2+deb12u1) bookworm; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764). - An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path, allowing them to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988). - The request path matching is case-insensitive. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential leaks. * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to fix CVE-2024-6839 (closes: #1100988). - There is an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors. d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988). - The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues. Checksums-Sha1: 62467d336a678e954c8d51b135fe6c4c5862a3b8 8613 python-flask-cors_3.0.10-2+deb12u1_all-buildd.buildinfo a60f10c3a3ac5fe3147975c7fb519817dd157330 44364 python3-flask-cors_3.0.10-2+deb12u1_all.deb Checksums-Sha256: ad197496d7ad151ce5941b5303d114d2218dcda95d0eb83fd9a3e25080d870c8 8613 python-flask-cors_3.0.10-2+deb12u1_all-buildd.buildinfo 557b915d61f6307733c4bea8233d6cceab7d2ffbe73b585487a1a48d3701dd89 44364 python3-flask-cors_3.0.10-2+deb12u1_all.deb Files: 0bad52c7595b0bd9ebb92bec31aa69c7 8613 python optional python-flask-cors_3.0.10-2+deb12u1_all-buildd.buildinfo 5375e7ac6fd71d4132267736c17360b1 44364 python optional python3-flask-cors_3.0.10-2+deb12u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHqtYLkdKRyCY94K8fUw6/tXbAmMFAmivZ8gACgkQfUw6/tXb AmMzLBAAgXSoaEM0F3hH/2BZG2gfdefpboQnahjpq9GyhUS5qyp0AGrqhnHeyw5A o8lOi4T3gDnRMGNIn1wMTdR2tVae8UQ7vpw5LM9I3p5a+GNe26Z3PoSp5fZx2kJz I0hFaiBLcJ9+X6TiFuNTLuvsNpoDXKe09VI+DSDDOY1S6h8OiR9e131vI1kkb7kJ Y7903WPeOvc73qceCruLwsFRL1y1uAfbDOZ2rlQ2T+yoyBu1enIiCDNooKNmAKv2 l0gdcKvTN6xPjvtEhcKS/UX4WnC+s3fUwDuguL3Bbfmn5XoO3XpJFO5ogMMjqtVJ hnEOyGPOeHCekkeaSfsvssIRuvMEY5SX9YgHkJd5I4aMW2CQ+uKtzLn68XyJMff4 7wRA7HDk9pcXzcrgePsY2VXdw+h9sI8PUyFgk3mBDsP7Whqy+IDrYekwOBnpeEU8 +di+mt9cz3zEcVzuKD8roMpCVuD8zZXfo0ib8MpltEAMhLBMDB9lAACyR6sNF2ib Vl2Q53DzvfwetV8IcjTaf9Hs2qv1YtlhcmjlvyuWrRQiaKMTudYxK4veRdh/Y4O2 01eT9zwgzeH1hwHMlb74Wrva3ICP3/Waiya/6ah3Kn5uztsPWZF3UnBRuGYGynqy jjYvKKn58X1AeWkdE98cz9KNZazIyskcwPW9cY9uo0BPor8wpUM= =0lpS -----END PGP SIGNATURE-----