Debian Package Tracker
Register | Log in
Subscribe

flask-security

Simple security for Flask apps (Python 3)

Choose email to subscribe with

general
  • source: flask-security (main)
  • version: 3.4.2-2
  • maintainer: Debian Python Modules Team (archive) (DMD)
  • uploaders: Adrian Vondendriesch [DMD] [DM]
  • arch: all
  • std-ver: 4.5.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • stable: 1.7.5-2
  • testing: 3.4.2-2
  • unstable: 3.4.2-2
versioned links
  • 1.7.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 3.4.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • python3-flask-security
action needed
Marked for autoremoval on 17 February due to pytest-pep8: #977064 high
Version 3.4.2-2 of flask-security is marked for autoremoval from testing on Wed 17 Feb 2021. It depends (transitively) on pytest-pep8, affected by #977064. You should try to prevent the removal by fixing these RC bugs.
Created: 2021-01-17 Last update: 2021-01-21 01:07
A new upstream version is available: 4.0.0~rc1 high
A new upstream version 4.0.0~rc1 is available, you should consider packaging it.
Created: 2020-06-29 Last update: 2021-01-20 22:36
1 security issue in sid high
There is 1 open security issue in sid.
1 important issue:
  • CVE-2021-21241: The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.
Please fix it.
Created: 2021-01-15 Last update: 2021-01-15 22:04
1 security issue in bullseye high
There is 1 open security issue in bullseye.
1 important issue:
  • CVE-2021-21241: The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable.
Please fix it.
Created: 2021-01-15 Last update: 2021-01-15 22:04
lintian reports 2 errors high
Lintian reports 2 errors about this package. You should make the package lintian clean getting rid of them.
Created: 2020-10-22 Last update: 2020-10-22 04:32
Depends on packages which need a new maintainer normal
The packages that flask-security depends on which need a new maintainer are:
  • flask-babelex (#980142)
    • Build-Depends: python3-flask-babelex
    • Depends: python3-flask-babelex
  • speaklater (#980143)
    • Depends: python3-speaklater
Created: 2021-01-15 Last update: 2021-01-21 01:07
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 3.4.2-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:
commit 8fe9433cb0d5e15d9ac1d551f47b55a8d59a687b
Author: Ondřej Nový <onovy@debian.org>
Date:   Thu Sep 24 08:59:35 2020 +0200

    d/control: Update Vcs-* fields with new Debian Python Team Salsa layout

commit 71037ff6842c6a0e13d9e5684fed178291a615fb
Author: Ondřej Nový <onovy@debian.org>
Date:   Thu Sep 24 08:59:35 2020 +0200

    d/control: Update Maintainer field with new Debian Python Team contact address

commit 469c5343840e3a6eccb31404dc7437564af84198
Merge: 298f557 8e14e84
Author: Jelmer Vernooij <jelmer@debian.org>
Date:   Mon Sep 7 15:40:41 2020 +0000

    Merge branch 'lintian-fixes' into 'debian/master'
    
    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse
    
    See merge request python-team/modules/flask-security!1

commit 8e14e846bbeb07e1cdc5eb63210b557a4f679198
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Wed Sep 2 06:32:19 2020 +0000

    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse.
    
    Changes-By: lintian-brush
    Fixes: lintian: upstream-metadata-file-is-missing
    See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
    Fixes: lintian: upstream-metadata-missing-bug-tracking
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-bug-tracking.html
    Fixes: lintian: upstream-metadata-missing-repository
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-repository.html


https://salsa.debian.org/api/v4/projects/python-team%2Fmodules%2Fflask-security API request failed: 404 Not Found at /srv/qa.debian.org/data/vcswatch/vcswatch line 379.
Created: 2020-09-07 Last update: 2021-01-18 17:34
Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-07-06 Last update: 2020-07-06 04:35
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.5.0).
Created: 2020-11-17 Last update: 2020-11-17 05:41
news
[rss feed]
  • [2020-07-12] flask-security 3.4.2-2 MIGRATED to testing (Debian testing watch)
  • [2020-07-06] Accepted flask-security 3.4.2-2 (source) into unstable (Scott Talbert)
  • [2020-07-04] Accepted flask-security 3.4.2-1 (source) into unstable (Christoph Berg) (signed by: Scott Talbert)
  • [2019-01-15] flask-security 1.7.5-2 MIGRATED to testing (Debian testing watch)
  • [2018-12-12] flask-security REMOVED from testing (Debian testing watch)
  • [2018-05-13] flask-security 1.7.5-2 MIGRATED to testing (Debian testing watch)
  • [2018-05-08] flask-security REMOVED from testing (Debian testing watch)
  • [2018-01-29] flask-security 1.7.5-2 MIGRATED to testing (Debian testing watch)
  • [2018-01-24] Accepted flask-security 1.7.5-2 (source) into unstable (Christoph Berg)
  • [2018-01-13] flask-security 1.7.5-1 MIGRATED to testing (Debian testing watch)
  • [2018-01-02] Accepted flask-security 1.7.5-1 (source all) into unstable, unstable (Christoph Berg)
bugs [bug history graph]
  • all: 1
  • RC: 1
  • I&N: 0
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (2, 0)
  • buildd: logs, clang, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • l10n (-, 51)
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 3.4.2-2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing