Your message dated Fri, 27 Feb 2026 22:43:19 +0100
with message-id <[email protected]>
and subject line Re: Accepted flask 3.1.3-1 (source) into unstable
has caused the Debian Bug report #1128620,
regarding flask: CVE-2026-27205
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128620: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128620
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: flask
Version: 3.1.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for flask.
CVE-2026-27205[0]:
| Flask is a web server gateway interface (WSGI) web application
| framework. In versions 3.1.2 and below, when the session object is
| accessed, Flask should set the Vary: Cookie header., resulting in a
| Use of Cache Containing Sensitive Information vulnerability. The
| logic instructs caches not to cache the response, as it may contain
| information specific to a logged in user. This is handled in most
| cases, but some forms of access such as the Python in operator were
| overlooked. The severity and risk depend on the application being
| hosted behind a caching proxy that doesn't ignore responses with
| cookies, not setting a Cache-Control header to mark pages as private
| or non-cacheable, and accessing the session in a way that only
| touches keys without reading values or mutating the session. The
| issue has been fixed in version 3.1.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27205
https://www.cve.org/CVERecord?id=CVE-2026-27205
[1] https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
[2]
https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: flask
Source-Version: 3.1.3-1
This fixes CVE-2026-27205, closing manually.
Regards,
Salvatore
On Fri, Feb 27, 2026 at 09:18:48AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 27 Feb 2026 10:02:35 +0100
> Source: flask
> Architecture: source
> Version: 3.1.3-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Thomas Goirand <[email protected]>
> Changes:
> flask (3.1.3-1) unstable; urgency=medium
> .
> * New upstream release.
> Checksums-Sha1:
> 653c3a2fc16d05de2d1a2aff7dbda37fa6131a6d 2788 flask_3.1.3-1.dsc
> 1d17eab40af3e56f917df11cdee45bfb6313822b 765885 flask_3.1.3.orig.tar.gz
> e3003a32bc7abb858ff66dc7cc368170d31eb11f 10100 flask_3.1.3-1.debian.tar.xz
> 8e43ca25a2ff4186e08f2c720a67a9acfe19ba72 8681 flask_3.1.3-1_amd64.buildinfo
> Checksums-Sha256:
> 8eac0cb03eb95885716fee9bf9fcb4771498cc89c2a3f4169715cb27bcc6c10f 2788
> flask_3.1.3-1.dsc
> 2673e3831257e541d38b0cdf0f434371ba34f3d4472d53d0a23b178054a1fca5 765885
> flask_3.1.3.orig.tar.gz
> 7b7bbc3f679e8da6e5aab9a86429cae79902178eede31b842b89fa266f8dc4ef 10100
> flask_3.1.3-1.debian.tar.xz
> 85cf0f40ce3e3fd044656cb8e335f47e22bebb0e6b3ba0fef58d97f4146ddd23 8681
> flask_3.1.3-1_amd64.buildinfo
> Files:
> 6a7aaffcce6abb43e5219883e6427270 2788 python optional flask_3.1.3-1.dsc
> eb862fedc07049527b5791b8753e632f 765885 python optional
> flask_3.1.3.orig.tar.gz
> 20a1a23c9e9377ed8312a73ebcf8f525 10100 python optional
> flask_3.1.3-1.debian.tar.xz
> 2e40563eafccdfdb663f4e5925166352 8681 python optional
> flask_3.1.3-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmmhXnMACgkQ1BatFaxr
> Q/6HQw//YSp/i5BeLHqQU1Gqr1kbTC+Jkd5ay8ajZUONBO1k98/hLr+HRo2EY2TL
> N73mr8rqb32MYVPvtSvIs4kWLw26lGRCpwdUcyV4SbDbWsE/xbFhbKbz3oDSUhvg
> 5GVC4v1tGdAqS+GGgWXDdqptzBctj+I9yfadmgNpIjOYBDc2HfpDB/pkISHEp7ZS
> sH9RkJcSLoaW/iT/+JmKhxHhui14YZqHq3T+q1gkw1aBM0uNJjovgayXXN8LsNod
> KV9eOAW6/uTfIGySKlDaHf34Kx247ygORohxKdUBGuXqDUJ2wkUOlWjpJA630p32
> P1p7WAt7v8rOrk0RGB50PGmENQdfSllVpB6rXF+jeBO1m6+n4+2bI68F4jNAH/QH
> hje/TyKjF6hz6iQHyDc6WdgOo7b/qhrJYkstT3tkehpgBWFEP+wriFDtPV31XJT0
> vftWlPgwNwt5EqNNzL/2xH4Q7zR1ZoEj6R7axGBMv/1FkKNLaZ4G7r9mSmk64aJv
> IT7BywohG9jHYOGciYjnfkfRXrQ88+meYf5CLHgFUsd0xgAas9EDX/1nUbM6VyPL
> 4L0dBGtJVm7KjoUXYybxatsMNQP2Znc5t33I8+bv+y6Ll8xs79qpwbIUEBR5Mkkk
> MmOKvm0I4yINmqkmZpLAy0buF2kaf0IumxbDMymYGNaOl3IE6UI=
> =/FdI
> -----END PGP SIGNATURE-----
--- End Message ---
