Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted python-flask-cors 3.0.9-2+deb11u1 (source) into oldstable-security
Date: Sat, 31 May 2025 02:10:26 +0000
Signed by: Daniel Leidert <dleidert@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 31 May 2025 03:40:23 +0200
Source: python-flask-cors
Architecture: source
Version: 3.0.9-2+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Stewart Ferguson <stew@ferg.aero>
Changed-By: Daniel Leidert <dleidert@debian.org>
Closes: 1069764 1100988
Changes:
 python-flask-cors (3.0.9-2+deb11u1) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764).
     - An attacker can inject fake log entries into the log file by sending a
       specially crafted GET request containing a CRLF sequence in the request
       path, allowing them to corrupt log files, potentially covering tracks of
       other attacks, confusing log post-processing tools, and forging log
       entries.
   * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988).
     - The request path matching is case-insensitive. This results in a mismatch
       because paths in URLs are case-sensitive, but the regex matching treats
       them as case-insensitive. This misconfiguration can lead to significant
       security vulnerabilities, allowing unauthorized origins to access paths
       meant to be restricted, resulting in data exposure and potential leaks.
   * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to
     fix CVE-2024-6839 (closes: #1100988).
     - There is an improper regex path matching vulnerability. The plugin
       prioritizes longer regex patterns over more specific ones when matching
       paths, which can lead to less restrictive CORS policies being applied to
       sensitive endpoints. This mismatch in regex pattern priority allows
       unauthorized cross-origin access to sensitive data or functionality,
       potentially exposing confidential information and increasing the risk of
       unauthorized actions by malicious actors.
    d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988).
    - The request.path is passed through the unquote_plus function, which
      converts the '+' character to a space ' '. This behavior leads to
      incorrect path normalization, causing potential mismatches in CORS
      configuration. As a result, endpoints may not be matched correctly to
      their CORS settings, leading to unexpected CORS policy application. This
      can cause unauthorized cross-origin access or block valid requests,
      creating security vulnerabilities and usability issues.
Checksums-Sha1:
 899ec7169314e010a08e3498c51ea0408101d71c 2246 python-flask-cors_3.0.9-2+deb11u1.dsc
 ad7f48be5e0b4bc970fbc1dd2957dcb9a25992af 29222 python-flask-cors_3.0.9.orig.tar.gz
 f497b907d3804b02412f732099633c440bfee701 9632 python-flask-cors_3.0.9-2+deb11u1.debian.tar.xz
 8e3685116f40b9cec31784ec56ea7eaed8e09a55 8376 python-flask-cors_3.0.9-2+deb11u1_amd64.buildinfo
Checksums-Sha256:
 3c82010dedbf4361997d9ced1979f16f171aeddd3b3de99e128be5f180309638 2246 python-flask-cors_3.0.9-2+deb11u1.dsc
 d1d40cfd97f7b126db99ae82df20a8748124d1cd7467b463217e9e043db43658 29222 python-flask-cors_3.0.9.orig.tar.gz
 d86ff5422512bed34214495c42c13ecefa68660e16c48c5b686dd0d62922a3bb 9632 python-flask-cors_3.0.9-2+deb11u1.debian.tar.xz
 e47c5e1a3267b99ca13a3f3aa0093b6eba0a13c72b31a85a37f62052ce6139d3 8376 python-flask-cors_3.0.9-2+deb11u1_amd64.buildinfo
Files:
 dd613dedac19ff92e13fd625461cea7a 2246 python optional python-flask-cors_3.0.9-2+deb11u1.dsc
 b32cc11e9f69c0f1adc216c42d77215a 29222 python optional python-flask-cors_3.0.9.orig.tar.gz
 ef6fc147e467c49f46bf3ba71337c229 9632 python optional python-flask-cors_3.0.9-2+deb11u1.debian.tar.xz
 ad4e089489cb4a951bd0e8d6dba2ec61 8376 python optional python-flask-cors_3.0.9-2+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmg6YYEACgkQS80FZ8KW
0F3kFQ/7BehuIK4s2tp7fza8aw2+SJLDddigO5ZQVoKgTlTclHRJzGNql4yIZah5
Slfxlgma/w7kw7Omu+l3Oji9+4TRhtkKeQ/aWO5aGszF2/FKa1KhHKJ3ZhkoUXWf
5H2Mj9/ZB8n8ZPdasg7aKfDZrwjBReQKBNGUnDdCldwYII08f9d4S5pjHMSsispc
OmY4nmYnlfNRRQOknOeVyYzwFhc2D2VmWvdqss8UikOtNs9Z8KFrzE6byjtmD7II
W9PbhW+rODaOYVrN1RC2a44R5QyZ8SmuWW6mQoR/sgQsaRrdaYu/J4pSC0A8mJBO
WkWfI3BoMhTVAgaUvr3J9gbTQsVypBEDl074+zoBzeL/ztYe/veuU08Y8hiq6PuD
CZEgTpeT1gq3DMY173ULCDYVWVluJn3lp1+sZfYwotpJ3BB61Z+DVarzlLnuroiI
OS9CgpMf9pWTqaKTBYCtc8JBLbZmfk+DVtE9OT/rqb0exSHWm1MLtmotIAKLfJgy
C4CmnAmsZe9l9a+wKdEb6LO0xE8x+j9bvWsAMmYB6CAFBaFPF9GnMqyGcX7x3aqh
1xB+prImO1wdklDuNn2VM64qbUbDSSM4TW+P4adSKS/B5/upsEzZUk8bw6UilNoi
7XBbzmu1w8nYyaTlx/T4EDRdNX9Q8FjbTtBxrTds9Eej/ctc+/M=
=QLJf
-----END PGP SIGNATURE-----
News for package python-flask-cors
