Your message dated Fri, 18 Dec 2020 16:19:26 +0000
with message-id <[email protected]>
and subject line Bug#969362: fixed in python-flask-cors 3.0.9-1
has caused the Debian Bug report #969362,
regarding python-flask-cors: CVE-2020-25032
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
969362: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969362
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-flask-cors
Version: 3.0.8-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.0.7-1
Hi,
The following vulnerability was published for python-flask-cors.
CVE-2020-25032[0]:
| An issue was discovered in Flask-CORS (aka CORS Middleware for Flask)
| before 3.0.9. It allows ../ directory traversal to access private
| resources because resource matching does not ensure that pathnames are
| in a canonical format.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032
[1]
https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-flask-cors
Source-Version: 3.0.9-1
Done: =?utf-8?q?Louis-Philippe_V=C3=A9ronneau?= <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-flask-cors, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Louis-Philippe Véronneau <[email protected]> (supplier of updated
python-flask-cors package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 18 Dec 2020 10:54:57 -0500
Source: python-flask-cors
Architecture: source
Version: 3.0.9-1
Distribution: unstable
Urgency: medium
Maintainer: Stewart Ferguson <[email protected]>
Changed-By: Louis-Philippe Véronneau <[email protected]>
Closes: 950058 969362
Changes:
python-flask-cors (3.0.9-1) unstable; urgency=medium
.
* Team upload.
.
[ Louis-Philippe Véronneau ]
* d/gbp.conf: use team's branch names and migrate to debian/master.
* d/control: upgrade to dh13.
* d/control: update Standards-Version to 4.5.1. Add Rules-Requires-Root.
* d/control: the team is not called the Python Team.
* d/tests: add autopkgtest.
.
[ Ondřej Nový ]
* Bump Standards-Version to 4.4.1.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
.
[ Bastian Germann ]
* Add gbp.conf
* New upstream version 3.0.9 (Closes: #950058, #969362)
Checksums-Sha1:
4216b2256bd2c00f8cbfd97777b20d9827e8a8ab 2214 python-flask-cors_3.0.9-1.dsc
ad7f48be5e0b4bc970fbc1dd2957dcb9a25992af 29222
python-flask-cors_3.0.9.orig.tar.gz
3c77d1322c3589c756946c8e3d79614b963bd43d 5228
python-flask-cors_3.0.9-1.debian.tar.xz
bb3d8b81067f9aeb4af7456b4868de3cdbe4b918 8063
python-flask-cors_3.0.9-1_amd64.buildinfo
Checksums-Sha256:
fdbbedd2ccb97ebfbfb69d0f82e3ebc3ad9f00c74f7d5934fd9b005e3a519184 2214
python-flask-cors_3.0.9-1.dsc
d1d40cfd97f7b126db99ae82df20a8748124d1cd7467b463217e9e043db43658 29222
python-flask-cors_3.0.9.orig.tar.gz
4b2c56cbe992b135736baca3c69ba9c6ba0548627915c57024e9c490923144f3 5228
python-flask-cors_3.0.9-1.debian.tar.xz
052d8ad00fc4df318f1159c1fdd01c36877f39c200d1da315c4dc32b55fa60b4 8063
python-flask-cors_3.0.9-1_amd64.buildinfo
Files:
b7889e2228885076243cd42c63b2e52c 2214 python optional
python-flask-cors_3.0.9-1.dsc
b32cc11e9f69c0f1adc216c42d77215a 29222 python optional
python-flask-cors_3.0.9.orig.tar.gz
b16d6f8149264f53f1ee52a1a2fa379a 5228 python optional
python-flask-cors_3.0.9-1.debian.tar.xz
84b511231a83fa3fe0d25d47e272db68 8063 python optional
python-flask-cors_3.0.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZ39U8fqGga2OwLzmeurE7GqqCpcFAl/c0kAACgkQeurE7Gqq
CpexjRAAxaGExibjfetBOzJQBY5rQnoOIjChO14pDNE6uW8OspVydx1dFFFz0tac
L0RSfpmti9GmrV8GYNwR+EXD4UiciH4tG7gLhXcigGwKkWFw6EdPvMQkYz8uhlRV
dimbnPGfAqqr9NQLfVY/ebJDWLTcfF4Xe4luwGS1t4dTag5H7EjUfFQJrTsx1Slk
coMnVDSpB0/mxiMgXW6yQ/18sjK2WvzMUnRLj/Lw8qK+p9L+HAJE6/Tcyt8l2i2X
Qh/PtMrA22KlFpL8laYPQurOlJzE9IrNb9NndBkrJNmECxoZP4JEDx5U5emR+a8d
OiAayrlkLX3a77MnSb0cCd5q8lKbSJFsU+d+aRT8b+TUDXu8Rw1ARvHjk4OKx6iq
yNxfIjcASLS0wGh3YOLPRu/9/Um8U9/yQG25F6vwJFh6twocpYLgxxZVRB8JKMZK
4Pe0+XPLuAGCtdiNAQ7B7xyxoA8kKUL1TZ9CjfvDL3stGo6DYC5/8fvZSVFoMRKx
V/Upyqi6b/CjR7Twn9kZ1GF5rN0C2evM3syL9PUXB/9Wra80HhP6/tO/nS0rtc6F
MN2ctMzklzqBEOBAucbqZPJ7Tfz1SDlpfAkSSzzuinyDjyvz3cs2ZW8uP/tdnlSJ
sk/aqQdcAwa4N8jwBg8B5OKquxGlNOjLdvTNrTo355cw0SdekDI=
=Gbrs
-----END PGP SIGNATURE-----
--- End Message ---
