Your message dated Thu, 11 May 2023 11:04:07 +0000 with message-id <e1px45f-009jkb...@fasolo.debian.org> and subject line Bug#1035670: fixed in flask 2.2.2-3 has caused the Debian Bug report #1035670, regarding flask: CVE-2023-30861: Possible disclosure of permanent session cookie due to missing Vary: Cookie header to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035670: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035670 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: flask Version: 2.2.2-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for flask. CVE-2023-30861[0]: | Flask is a lightweight WSGI web application framework. When all of the | following conditions are met, a response containing data intended for | one client may be cached and subsequently sent by the proxy to other | clients. If the proxy also caches `Set-Cookie` headers, it may send | one client's `session` cookie to other clients. The severity depends | on the application's use of the session and the proxy's behavior | regarding cookies. The risk depends on all these conditions being met. | 1. The application must be hosted behind a caching proxy that does not | strip cookies or ignore responses with cookies. 2. The application | sets `session.permanent = True` 3. The application does not access or | modify the session at any point during a request. 4. | `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The | application does not set a `Cache-Control` header to indicate that a | page is private or should not be cached. This happens because | vulnerable versions of Flask only set the `Vary: Cookie` header when | the session is accessed or modified, not when it is refreshed (re-sent | to update the expiration) without being accessed or modified. This | issue has been fixed in versions 2.3.2 and 2.2.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30861 https://www.cve.org/CVERecord?id=CVE-2023-30861 [1] https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: flask Source-Version: 2.2.2-3 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of flask, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1035...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated flask package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 11 May 2023 12:39:19 +0200 Source: flask Architecture: source Version: 2.2.2-3 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 1035670 Changes: flask (2.2.2-3) unstable; urgency=high . * CVE-2023-30861: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header. Applied upstream patch: set Vary: Cookie header consistently for session (Closes: #1035670). Checksums-Sha1: f6ea3261f449f168552d1ab0efc56c794a866389 2497 flask_2.2.2-3.dsc e96fb745aad15c475173f092b2e4dd57c2ecab2b 8372 flask_2.2.2-3.debian.tar.xz fde59a1b079c3466fc297d72cac08cadf225cd48 8511 flask_2.2.2-3_amd64.buildinfo Checksums-Sha256: c53168c98b85bd6b74b8ac6b810bad6bcdfc8be0ae8c6be98367a115ee7e9550 2497 flask_2.2.2-3.dsc e20c2c4d90eb02780fa2712a4fd7b2c192bd856c403c8f104ebdffa5078bac21 8372 flask_2.2.2-3.debian.tar.xz 3d07c8f839a50f67f841583c0010edb598b767a436a31d839bbe5f2637787e3f 8511 flask_2.2.2-3_amd64.buildinfo Files: 17139565f967b5b6698e2304f9def61b 2497 python optional flask_2.2.2-3.dsc 87128aed635fac063ace7b32cff22bb1 8372 python optional flask_2.2.2-3.debian.tar.xz 43bd28a9e49000a0f48fd4697689caa6 8511 python optional flask_2.2.2-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmRcxuwACgkQ1BatFaxr Q/67IRAAnan//Er2vvtkV02o/I3W/oD9TmcBW2sB+QGOX0nQt/5tX94sHcr1XROP 1C7kkqqKLkBQfTny/mP+04FYwdRBflkKvKaDM4AEHSxeQNWsvhcH2yRHipjObEr1 YY1/lRprb3SezrQS+L9V0gFqEzWZXqhUTPLWapKRnkU+V2a3U0a/s87jyqNrQABX o1rJAizjFk2MKilbVx9lB7I4HuPXYu1q5l258VI7DRzOTe6w/4cbd6DX3FoMeJx7 AmKZ6rere3dTo9FeGmrVos+bZ/Xa+6+0LY07yoaT6BcGGK4N/SzPrQnJaXuxwHb3 2CBx8zdVkka7EaRs6Jfb/OXDCO1SO3JgLJYqYIX+LWovvBadtEKuoc+++LhYXEDM aS06A0L/QH5jCgwnSpocJJDWpGQQNudzoYCVa1GYS2yQp68KNtB7xQOm3sIrTo4K p3rz/hubJGfhUp426w0bzwmSucc8HmoKQqFoHzRxLd7zfGqLcc3xSQSslxzZnb41 ohgzPAS136FeErHlFtyAL3gQby3OVaXjHl/bD5McdAK9aYopLlxtgcP9yvKkAr1o wSrtcd4AdbCo1fEBk4hqjok74+50MM0UZHhZsK5yXPRELmjVphZCc9yZMT2zdLes L0yIGhmTL4/4jaF//U7GMXvGVVLlBax54MuMq8//Fin1tfGmzaQ= =nrAr -----END PGP SIGNATURE-----
--- End Message ---
