1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
python-flask-cors (3.0.10-2+deb12u1) bookworm; urgency=medium
* Non-maintainer upload by the Debian LTS team.
* d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764).
- An attacker can inject fake log entries into the log file by sending a
specially crafted GET request containing a CRLF sequence in the request
path, allowing them to corrupt log files, potentially covering tracks of
other attacks, confusing log post-processing tools, and forging log
entries.
* d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988).
- The request path matching is case-insensitive. This results in a mismatch
because paths in URLs are case-sensitive, but the regex matching treats
them as case-insensitive. This misconfiguration can lead to significant
security vulnerabilities, allowing unauthorized origins to access paths
meant to be restricted, resulting in data exposure and potential leaks.
* d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to
fix CVE-2024-6839 (closes: #1100988).
- There is an improper regex path matching vulnerability. The plugin
prioritizes longer regex patterns over more specific ones when matching
paths, which can lead to less restrictive CORS policies being applied to
sensitive endpoints. This mismatch in regex pattern priority allows
unauthorized cross-origin access to sensitive data or functionality,
potentially exposing confidential information and increasing the risk of
unauthorized actions by malicious actors.
d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988).
- The request.path is passed through the unquote_plus function, which
converts the '+' character to a space ' '. This behavior leads to
incorrect path normalization, causing potential mismatches in CORS
configuration. As a result, endpoints may not be matched correctly to
their CORS settings, leading to unexpected CORS policy application. This
can cause unauthorized cross-origin access or block valid requests,
creating security vulnerabilities and usability issues.
-- Daniel Leidert <dleidert@debian.org> Mon, 30 Jun 2025 02:59:32 +0200
python-flask-cors (3.0.10-2) unstable; urgency=medium
* Team upload.
* d/watch: Use git mode to check newer versions
* d/control: Increase Standards-Version to 4.6.2
No further modifications needed.
* d/control: Adjust/update B-D, add BuildProfileSpecs
* d/rules: Remove --with option from default target
* d/copyright: Adjust Homepage to GH project space
* d/u/metadata: Adjust some more data
* d/copyright: Update year data
* autopkgtest: Be more specific on depending packages
-- Carsten Schoenert <c.schoenert@t-online.de> Sun, 22 Jan 2023 09:52:05 +0100
python-flask-cors (3.0.10-1) unstable; urgency=medium
* Team upload.
* d/gbp.conf: Add more settings
* New upstream version 3.0.10
* Rebuild patch queue from patch-queue branch
Renamed patches:
remove_badges_from_doc
-> debian-hacks/Privacy-Remove-linking-to-external-resources.patch
redirect_api_links_locally
-> debian-hacks/README-Link-to-internal-HTML-resource.patch
Added patches:
debian-hacks/docs-Use-local-inventory-for-Python3.patch
upstream/Spelling-Fix-misspelled-word-conjuction.patch
upstream/Spelling-Fix-misspelled-word-maching.patch
Dropped patch (fixed upstream):
spelling_error_in_manpage
* d/control: Make DPT to the package maintainer
* d/{control,rules}: Move over to dh-sequence-python3
* d/control: Add new entries, sort Build-Depends alphabetical
(Closes: #1018495)
* d/u/metadata: Fix small typo
* autopkgtest: Switch to use pytest instead of nose
* d/rules: Use pytest to run internal tests
* documentation: Build HTML and manpage by dh_sphinxdoc
* d/control: Increase Standards-Version to 4.6.1
No further modifications needed.
* d/salsa-ci.yml: Adding Yaml CI control data for Salsa
Rename d/.gitlab-ci.yml to d/salsa-ci.yml, update the content of the
file.
-- Carsten Schoenert <c.schoenert@t-online.de> Tue, 01 Nov 2022 08:15:36 +0100
python-flask-cors (3.0.9-2) unstable; urgency=medium
* Team upload.
[ Bastian Germann ]
* d/copyright: Fix superfluous license.
-- Louis-Philippe Véronneau <pollo@debian.org> Fri, 18 Dec 2020 11:06:56 -0500
python-flask-cors (3.0.9-1) unstable; urgency=medium
* Team upload.
[ Louis-Philippe Véronneau ]
* d/gbp.conf: use team's branch names and migrate to debian/master.
* d/control: upgrade to dh13.
* d/control: update Standards-Version to 4.5.1. Add Rules-Requires-Root.
* d/control: the team is not called the Python Team.
* d/tests: add autopkgtest.
[ Ondřej Nový ]
* Bump Standards-Version to 4.4.1.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
[ Bastian Germann ]
* Add gbp.conf
* New upstream version 3.0.9 (Closes: #950058, #969362)
-- Louis-Philippe Véronneau <pollo@debian.org> Fri, 18 Dec 2020 10:54:57 -0500
python-flask-cors (3.0.8-2) unstable; urgency=medium
[ Ondřej Nový ]
* Bump Standards-Version to 4.4.0.
[ Stewart Ferguson ]
* Bumping version to facilitate source-only upload
-- Stewart Ferguson <stew@ferg.aero> Tue, 30 Jul 2019 19:11:58 +0200
python-flask-cors (3.0.8-1) unstable; urgency=medium
* Upstream release 3.0.8
* Bumping standards-version 4.2.1 -> 4.3.0 (no changes required)
* Bumping compat 11 -> 12 and replacing d/compat with newer build-dep
* Adding d/upstream/metadata
-- Stewart Ferguson <stew@ferg.aero> Sun, 09 Jun 2019 09:29:19 +0200
python-flask-cors (3.0.7-1) unstable; urgency=medium
* Initial release (Closes: #915789)
-- Stewart Ferguson <stew@ferg.aero> Wed, 05 Dec 2018 21:51:05 +0100
|
