Login
Newsletter
Werbung

Sicherheit: Redirect auf beliebige Seite in Flask-Security
Aktuelle Meldungen Distributionen
Name: Redirect auf beliebige Seite in Flask-Security
ID: USN-6792-1
Distribution: Ubuntu
Plattformen: Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS
Datum: Di, 28. Mai 2024, 23:50
Referenzen: https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu0.20.04.1
https://ubuntu.com/security/notices/USN-6792-1
https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu0.1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23385
Applikationen: Flask-Security

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1458730279387367104==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------fzmKhIZjflq6u5CXb3x0Qt08"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------fzmKhIZjflq6u5CXb3x0Qt08
Content-Type: multipart/mixed;
boundary="------------Z6D0AK5V3SgYzQRAnDrWwSJr";
protected-headers="v1"
From: Chrisa Oikonomou <chrisa.oikonomou@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <3ec23acc-cac3-425a-b205-20181edd28a8@canonical.com>
Subject: [USN-6792-1] Flask-Security vulnerability

--------------Z6D0AK5V3SgYzQRAnDrWwSJr
Content-Type: multipart/alternative;
boundary="------------dRhlZ0o0PLD8swMFtguNlgNw"

--------------dRhlZ0o0PLD8swMFtguNlgNw
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-6792-1
May 28, 2024

flask-security vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Flask-Security could be made to bypass URL validation and redirect to
arbitary URL.

Software Description:
- flask-security: Simple security for Flask apps (Python 3)

Details:

Naom Moshe discovered that Flask-Security incorrectly validated URLs. An
attacker could use this issue to redirect users to arbitrary URLs.



Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  python3-flask-security          4.0.0-1ubuntu0.1

Ubuntu 20.04 LTS
  python3-flask-security          1.7.5-2ubuntu0.20.04.1

Ubuntu 18.04 LTS
  python3-flask-security          1.7.5-2ubuntu0.18.04.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6792-1
<https://ubuntu.com/security/notices/USN-6792-1>
  CVE-2021-23385

Package Information:
https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu0.1
<https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu0.1>
https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu0.20.04.1
<https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu0.20.04.1>

--------------dRhlZ0o0PLD8swMFtguNlgNw
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>

<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3DUTF=
-8">
</head>
<body>
<p><span
class=3D"im">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
Ubuntu Security Notice USN-6792-1<br>
May 28, 2024<br>
<br>
flask-security vulnerability<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D<br>
<br>
A security issue affects these releases of Ubuntu and its
derivatives:<br>
<br>
- Ubuntu 22.04 LTS<br>
- Ubuntu 20.04 LTS<br>
- Ubuntu 18.04 LTS<br>
<br>
Summary:<br>
<br>
Flask-Security could be made to bypass URL validation and
redirect to arbitary URL.<br>
<br>
Software Description:<br>
- flask-security: Simple security for Flask apps (Python 3)<br>
<br>
Details:<br>
<br>
</span>
Naom Moshe discovered that Flask-Security incorrectly validated
URLs. An attacker could use this issue to redirect users to
arbitrary URLs.</p>
<div class=3D"yj6qo ajU">
<div id=3D":19p" class=3D"ajR" role=3D"button"
tabindex=3D"0"
aria-label=3D"Hide expanded content"
aria-expanded=3D"true"
data-tooltip=3D"Hide expanded content"><img
class=3D"ajT"
src=3D"https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></di=
v>
</div>
<div class=3D"adm"></div>
<br>
<br>
Update instructions:<br>
<br>
The problem can be corrected by updating your system to the
following<br>
package versions:<br>
<br>
Ubuntu 22.04 LTS<br>
=C2=A0 python3-flask-security=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 4.0.0=
-1ubuntu0.1<br>
<br>
Ubuntu 20.04 LTS<br>
=C2=A0 python3-flask-security=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1.7.5=
-2ubuntu0.20.04.1<br>
<br>
Ubuntu 18.04 LTS<br>
=C2=A0 python3-flask-security=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1.7.5=
-2ubuntu0.18.04.1~esm1<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Available with Ubuntu P=
ro<br>
<br>
In general, a standard system update will make all the necessary
changes.<br>
<br>
References:<br>
=C2=A0 <a href=3D"https://ubuntu.com/security/notices/USN-6792-1"
rel=3D"noreferrer" target=3D"_blank"
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://ubuntu.com=
/security/notices/USN-6792-1&amp;source=3Dgmail&amp;ust=3D171699899378800
=
0&amp;usg=3DAOvVaw38qg4UG_PLOri3wureOFZk">https://ubuntu.com/security/no<=
wbr>tices/USN-6792-1</a><br>
=C2=A0 CVE-2021-23385<br>
<br>
Package Information:<br>
=C2=A0 <a
href=3D"https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu=
0.1"
rel=3D"noreferrer" target=3D"_blank"
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://launchpad.=
net/ubuntu/%2Bsource/flask-security/4.0.0-1ubuntu0.1&amp;source=3Dgmail&a
=
mp;ust=3D1716998993788000&amp;usg=3DAOvVaw1_QMlj5nGhX9nCnlEYrtzJ">https:/=
/launchpad.net/ubuntu/+<wbr>source/flask-security/4.0.0-1u<wbr>buntu0.1</
=
a><br>
=C2=A0 <a
href=3D"https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu=
0.20.04.1"
rel=3D"noreferrer" target=3D"_blank"
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://launchpad.=
net/ubuntu/%2Bsource/flask-security/1.7.5-2ubuntu0.20.04.1&amp;source=3Dg=
mail&amp;ust=3D1716998993788000&amp;usg=3DAOvVaw2_jLAE6TtdUZDVAxWr7mt9">h
=
ttps://launchpad.net/ubuntu/+<wbr>source/flask-security/1.7.5-2u<wbr>bunt
=
u0.20.04.1</a>
</body>
</html>

--------------dRhlZ0o0PLD8swMFtguNlgNw--

--------------Z6D0AK5V3SgYzQRAnDrWwSJr--

--------------fzmKhIZjflq6u5CXb3x0Qt08
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEE26yozGlLvY8PLmS9C+du+fOjiEwFAmZWCsMFAwAAAAAACgkQC+du+fOjiEy/
XQv/WuT6uIVTXrVC0G9+nCEqHCiKXOuws4od9LPRnYjgM/dtxN+VqhOMQnqXQevESn8o67MyILXa
Ku0aSFrtHKZsiEqqCLM815gnZRSjFRJfr+SSrjmKwzkc0IfX12veAcAHhrPhK0Wr9LmLHxp+zEsX
kUZgN3GqnFDZq2R7YjwDwpGlwzq+uBqsv9S89QvTeAvTsCL2HQOu0fwpjHyl3pvx9RgK09F9e6kV
7fRJn+AyHvmZ9dRt2hMI1ipwtyDTSZ149RhFN7FpYwRWMnkiLevwYCwRTcHfS2qP6qHd4sU41snJ
UFDuDWvooRQ1mYTSdQ8oW1ENVp0d8xkRYU1/qcBGwtnFnis6VouUkvEYyWuBRX+dkkrVIbe4uqDf
uTrL4Vg7faXpTMYBmaDYq0/IfjPlkmTi6Ng++KT9gBV8LVfGv+Zyb2qAjDz34qmybMh/OMMr56v0
O4XXvJVHXu9Lz0Nr8CrxyWeutxGSzKzQdUsmKeeWPe0uIchoTQvl+NuSAvSv
=nsP/
-----END PGP SIGNATURE-----

--------------fzmKhIZjflq6u5CXb3x0Qt08--


--===============1458730279387367104==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============1458730279387367104==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung