python-flask-cors (3.0.9-2+deb11u1) bullseye-security; urgency=medium * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764). - An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path, allowing them to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988). - The request path matching is case-insensitive. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential leaks. * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to fix CVE-2024-6839 (closes: #1100988). - There is an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors. d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988). - The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues. -- Daniel Leidert Sat, 31 May 2025 03:40:23 +0200 python-flask-cors (3.0.9-2) unstable; urgency=medium * Team upload. [ Bastian Germann ] * d/copyright: Fix superfluous licence. -- Louis-Philippe Véronneau Fri, 18 Dec 2020 11:06:56 -0500 python-flask-cors (3.0.9-1) unstable; urgency=medium * Team upload. [ Louis-Philippe Véronneau ] * d/gbp.conf: use team's branch names and migrate to debian/master. * d/control: upgrade to dh13. * d/control: update Standards-Version to 4.5.1. Add Rules-Requires-Root. * d/control: the team is not called the Python Team. * d/tests: add autopkgtest. [ Ondřej Nový ] * Bump Standards-Version to 4.4.1. * d/control: Update Vcs-* fields with new Debian Python Team Salsa layout. [ Bastian Germann ] * Add gbp.conf * New upstream version 3.0.9 (Closes: #950058, #969362) -- Louis-Philippe Véronneau Fri, 18 Dec 2020 10:54:57 -0500 python-flask-cors (3.0.8-2) unstable; urgency=medium [ Ondřej Nový ] * Bump Standards-Version to 4.4.0. [ Stewart Ferguson ] * Bumping version to facilitate source-only upload -- Stewart Ferguson Tue, 30 Jul 2019 19:11:58 +0200 python-flask-cors (3.0.8-1) unstable; urgency=medium * Upstream release 3.0.8 * Bumping standards-version 4.2.1 -> 4.3.0 (no changes required) * Bumping compat 11 -> 12 and replacing d/compat with newer build-dep * Adding d/upstream/metadata -- Stewart Ferguson Sun, 09 Jun 2019 09:29:19 +0200 python-flask-cors (3.0.7-1) unstable; urgency=medium * Initial release (Closes: #915789) -- Stewart Ferguson Wed, 05 Dec 2018 21:51:05 +0100