CVE text: "The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable." ... which is confusing. Anyway, the URL for this bug has the actual flask-security security advisory, so I guess it affects us.
Please bump to 3.4.5.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82176833aacf96541f5af679e03e463667a4ce73 commit 82176833aacf96541f5af679e03e463667a4ce73 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-11 23:43:00 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-11 23:56:25 +0000 dev-python/flask-security: Bump to 3.4.5 Bug: https://bugs.gentoo.org/765016 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/flask-security/Manifest | 1 + .../flask-security/flask-security-3.4.5.ebuild | 74 ++++++++++++++++++++++ 2 files changed, 75 insertions(+)
amd64 x86 (ALLARCHES) done all arches done
Please cleanup.
Done in March: commit 5eb38e39bb838415ba4cd33ce58fbfc7ba44a1dc Author: Michał Górny <mgorny@gentoo.org> Date: Tue Mar 2 09:51:29 2021 +0100 dev-python/flask-security: Remove old Signed-off-by: Michał Górny <mgorny@gentoo.org> delete mode 100644 dev-python/flask-security/files/flask-security-3.4.3-optional-deps.patch delete mode 100644 dev-python/flask-security/flask-security-3.4.4.ebuild delete mode 100644 dev-python/flask-security/flask-security-3.4.5.ebuild All done!