"The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable."
... which is confusing. Anyway, the URL for this bug has the actual flask-security security advisory, so I guess it affects us.
Please bump to 3.4.5.
The bug has been referenced in the following commit(s):
Author: Michał Górny <firstname.lastname@example.org>
AuthorDate: 2021-01-11 23:43:00 +0000
Commit: Michał Górny <email@example.com>
CommitDate: 2021-01-11 23:56:25 +0000
dev-python/flask-security: Bump to 3.4.5
Signed-off-by: Michał Górny <firstname.lastname@example.org>
dev-python/flask-security/Manifest | 1 +
.../flask-security/flask-security-3.4.5.ebuild | 74 ++++++++++++++++++++++
2 files changed, 75 insertions(+)
amd64 x86 (ALLARCHES) done
all arches done