Your message dated Sat, 24 Oct 2020 10:23:27 +0000
with message-id <e1kwghr-000ait...@fasolo.debian.org>
and subject line Bug#969362: fixed in python-flask-cors 3.0.7-1+deb10u1
has caused the Debian Bug report #969362,
regarding python-flask-cors: CVE-2020-25032
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
969362: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969362
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-flask-cors
Version: 3.0.8-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 3.0.7-1
Hi,
The following vulnerability was published for python-flask-cors.
CVE-2020-25032[0]:
| An issue was discovered in Flask-CORS (aka CORS Middleware for Flask)
| before 3.0.9. It allows ../ directory traversal to access private
| resources because resource matching does not ensure that pathnames are
| in a canonical format.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032
[1]
https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-flask-cors
Source-Version: 3.0.7-1+deb10u1
Done: Bastian Germann <bastiangerm...@fishpost.de>
We believe that the bug you reported is fixed in the latest version of
python-flask-cors, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <bastiangerm...@fishpost.de> (supplier of updated
python-flask-cors package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 08 Oct 2020 21:40:11 +0200
Source: python-flask-cors
Architecture: source
Version: 3.0.7-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Stewart Ferguson <s...@ferg.aero>
Changed-By: Bastian Germann <bastiangerm...@fishpost.de>
Closes: 969362
Changes:
python-flask-cors (3.0.7-1+deb10u1) buster-security; urgency=high
.
* Team upload.
* Fix CVE-2020-25032 (Closes: #969362) with upstream patch
Checksums-Sha1:
fe7d92822b5a9e482a3bf291d6fc9a3ea3b236f7 2360
python-flask-cors_3.0.7-1+deb10u1.dsc
21845aa4e9bdbd9051ab7e82a9784c72bf1e039e 28489
python-flask-cors_3.0.7.orig.tar.gz
cdd4b8be7a592e5cb7ae3c6f78bce7149179270a 5052
python-flask-cors_3.0.7-1+deb10u1.debian.tar.xz
20f1763cf2472f607cebd486cdc329ed1d1710bf 6914
python-flask-cors_3.0.7-1+deb10u1_source.buildinfo
Checksums-Sha256:
e47a60b4a7342c044ea135d0cbd1a5b2de43f466b6f33f2baf20349ccf2638f9 2360
python-flask-cors_3.0.7-1+deb10u1.dsc
99f79b71e9df7aaab86ff873ecb269e4be7cb08ff1732c5f3a11510a2dcefc12 28489
python-flask-cors_3.0.7.orig.tar.gz
5fac20e3861b9976613b0d3379995f8ed3d86431c529bf048a12245e2ae88321 5052
python-flask-cors_3.0.7-1+deb10u1.debian.tar.xz
1ced51feac06dc35302836a4d8d674f560c50aaa03c735bcfd29e0e061dd4f9f 6914
python-flask-cors_3.0.7-1+deb10u1_source.buildinfo
Files:
ef71a8311bafb97a2bd53040e2d53ebe 2360 python optional
python-flask-cors_3.0.7-1+deb10u1.dsc
da02288a9734e26ef0a38afcf82ea6db 28489 python optional
python-flask-cors_3.0.7.orig.tar.gz
217375d0fe99384f34f59085646232e9 5052 python optional
python-flask-cors_3.0.7-1+deb10u1.debian.tar.xz
b804a367b24fbccd6a6ac19904d079bf 6914 python optional
python-flask-cors_3.0.7-1+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl+HFvdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ED2AQAJGZos9IcI83nUzbQeIxAmaPFsPecqjw
5sHn3r3pESntlqfKDOGciTGuWRebFfokchcp+YDUMx+mCtU1X0ofPoOzIv49v7Np
tf0ThqLXDXGhhopsKhtU13QBZwVKeWAwxLNJhfsrvJuhw4HN+Qtp9sH79R5Y50n6
DlJ9PjlI5t9d3LXmsK7p8SKS7IuVJX8ko8bRRXmL05tnN3o0bx1ZolMs2UR9ces6
jPBL1PhE8/itLnAyuhfaZ2lXxZfILiv8qW7TewNvnIORRDZSQwRQAz/hIcHoJyrb
mnuC1UfqDpKDl4FH0B6fd3Uu5Em19hK2to6vc6AKQba3LtUb9kQthFfYcqbFQ019
TAlKBszRkgiKWYLDeLZSB3m5ktZ8RsO6upX3GeongsQZ/BP2olC5wqAQYKA0VJfk
k1n5HohQ+peZJ6FqcqSgXVOSyz8Kh4uXl5R9BPi2BegrHSTyQ5SztFbizRSl9qKZ
cU6cQ0YTDR/DF/ICvGKqdYYrJj8nAErwxV1n4P+pxP2SPJDIHw9qCqZ8c/9dFVGt
vN34b3GjQlu+8lymuxByvSyFEjveSpo8TVLqGPar0lGCYEDnavTYk03Ne6MebQF/
kqws9nX2POgRi8m3a3PkUx0ULOgUTPb0GH6/rVjgpYBvg5LoqxQof049eqvtnUIL
qhLWNiFUue8n
=p8LZ
-----END PGP SIGNATURE-----
--- End Message ---
