Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: d5b23994 by Salvatore Bonaccorso at 2019-07-17T20:49:50Z Add CVE-2019-1010083/flask Only thing which is known so far that it is 'fixed in the 1.0 release'. The CVE was assigned by the former DWF project, but apart https://www.palletsprojects.com/blog/flask-1-0-released/ there is no reference given. The upstream release information notes: JSON Security Fix Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF- 8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request. Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -11136,7 +11136,8 @@ CVE-2019-1010085 CVE-2019-1010084 (Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect ...) TODO: check CVE-2019-1010083 (The Pallets Project Flask before 1.0 is affected by: unexpected memory ...) - TODO: check + - flask 1.0.2-1 + TODO: check fixing commit(s) CVE-2019-1010082 RESERVED CVE-2019-1010081 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5b23994c8b1d8052161483f799618838f9c4769 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5b23994c8b1d8052161483f799618838f9c4769 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
