Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 765016 (CVE-2021-21241)

Summary: <dev-python/flask-security-3.4.5: CSRF vulnerability (CVE-2021-21241)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-hh7m-rx4f-4vpv
Whiteboard: B4 [noglsa cleanup]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2021-01-11 22:05:19 UTC
CVE text:
"The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable."

... which is confusing. Anyway, the URL for this bug has the actual flask-security security advisory, so I guess it affects us.
Comment 1 Sam James archtester gentoo-dev Security 2021-01-11 22:05:40 UTC
Please bump to 3.4.5.
Comment 2 Larry the Git Cow gentoo-dev 2021-01-11 23:56:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82176833aacf96541f5af679e03e463667a4ce73

commit 82176833aacf96541f5af679e03e463667a4ce73
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-11 23:43:00 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-11 23:56:25 +0000

    dev-python/flask-security: Bump to 3.4.5
    
    Bug: https://bugs.gentoo.org/765016
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/flask-security/Manifest                 |  1 +
 .../flask-security/flask-security-3.4.5.ebuild     | 74 ++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2021-01-12 12:03:07 UTC
amd64 x86 (ALLARCHES) done

all arches done
Comment 4 John Helmert III gentoo-dev Security 2021-01-12 14:13:33 UTC
Please cleanup.