openRuyi-tutorials/buildroot
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/python-flask-cors: security bump to v6.0.1

Browse Source 
This is a major version bump, because it could break user code that depends
on the (wrong) previous logic fixed by the new release

See the release notes:
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.0
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.1

This fixes the following vulnerabilities:
- CVE-2024-6839:
    corydolphin/flask-cors version 4.0.1 contains an improper regex path
    matching vulnerability. The plugin prioritizes longer regex patterns
    over more specific ones when matching paths, which can lead to less
    restrictive CORS policies being applied to sensitive endpoints. This
    mismatch in regex pattern priority allows unauthorized cross-origin
    access to sensitive data or functionality, potentially exposing
    confidential information and increasing the risk of unauthorized
    actions by malicious actors.
    https://www.cve.org/CVERecord?id=CVE-2024-6839

- CVE-2024-6844:
    A vulnerability in corydolphin/flask-cors version 4.0.1 allows for
    inconsistent CORS matching due to the handling of the '+' character in
    URL paths. The request.path is passed through the unquote_plus
    function, which converts the '+' character to a space ' '. This
    behavior leads to incorrect path normalization, causing potential
    mismatches in CORS configuration. As a result, endpoints may not be
    matched correctly to their CORS settings, leading to unexpected CORS
    policy application. This can cause unauthorized cross-origin access or
    block valid requests, creating security vulnerabilities and usability
    issues.
    https://www.cve.org/CVERecord?id=CVE-2024-6844

- CVE-2024-6866:
    corydolphin/flask-cors version 4.01 contains a vulnerability where the
    request path matching is case-insensitive due to the use of the
    `try_match` function, which is originally intended for matching hosts.
    This results in a mismatch because paths in URLs are case-sensitive,
    but the regex matching treats them as case-insensitive. This
    misconfiguration can lead to significant security vulnerabilities,
    allowing unauthorized origins to access paths meant to be restricted,
    resulting in data exposure and potential data leaks.
    https://www.cve.org/CVERecord?id=CVE-2024-6866

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Titouan Christophe
2025-09-03 15:25:21 +02:00
committed by Peter Korsgaard
parent 0eefa1095d
commit 04cd135b26
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
package/python-flask-cors/python-flask-cors.hash
View File

@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/flask-cors/json
md5 a6e8202cc008ef6f70ce75a7ae7f8d9d flask_cors-5.0.0.tar.gz
sha256 5aadb4b950c4e93745034594d9f3ea6591f734bb3662e16e255ffbf5e89c88ef flask_cors-5.0.0.tar.gz
md5 2879503d54f25a4cacb62f7060b96e14 flask_cors-6.0.1.tar.gz
sha256 d81bcb31f07b0985be7f48406247e9243aced229b7747219160a0559edd678db flask_cors-6.0.1.tar.gz
# Locally computed sha256 checksums
sha256 6e1a1bdc54834c1e0740cbce5d5f6f2cae1c846fd2a7f482b11649594fafbd5d LICENSE

2
package/python-flask-cors/python-flask-cors.mk
View File

@@ -4,7 +4,7 @@
#
################################################################################
PYTHON_FLASK_CORS_VERSION = 5.0.0
PYTHON_FLASK_CORS_VERSION = 6.0.1
PYTHON_FLASK_CORS_SOURCE = flask_cors-$(PYTHON_FLASK_CORS_VERSION).tar.gz
PYTHON_FLASK_CORS_SITE = https://files.pythonhosted.org/packages/4f/d0/d9e52b154e603b0faccc0b7c2ad36a764d8755ef4036acbf1582a67fb86b
PYTHON_FLASK_CORS_SETUP_TYPE = setuptools