drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Redirect auf beliebige Seite in Flask-Security
Name: |
Redirect auf beliebige Seite in Flask-Security |
|
ID: |
USN-6792-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS |
|
Datum: |
Di, 28. Mai 2024, 23:50 |
|
Referenzen: |
https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu0.20.04.1
https://ubuntu.com/security/notices/USN-6792-1
https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu0.1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23385 |
|
Applikationen: |
Flask-Security |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============1458730279387367104== Content-Language: en-US Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------fzmKhIZjflq6u5CXb3x0Qt08"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------fzmKhIZjflq6u5CXb3x0Qt08 Content-Type: multipart/mixed; boundary="------------Z6D0AK5V3SgYzQRAnDrWwSJr"; protected-headers="v1" From: Chrisa Oikonomou <chrisa.oikonomou@canonical.com> Reply-To: security@ubuntu.com To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <3ec23acc-cac3-425a-b205-20181edd28a8@canonical.com> Subject: [USN-6792-1] Flask-Security vulnerability
--------------Z6D0AK5V3SgYzQRAnDrWwSJr Content-Type: multipart/alternative; boundary="------------dRhlZ0o0PLD8swMFtguNlgNw"
--------------dRhlZ0o0PLD8swMFtguNlgNw Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64
========================================================================== Ubuntu Security Notice USN-6792-1 May 28, 2024
flask-security vulnerability ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS
Summary:
Flask-Security could be made to bypass URL validation and redirect to arbitary URL.
Software Description: - flask-security: Simple security for Flask apps (Python 3)
Details:
Naom Moshe discovered that Flask-Security incorrectly validated URLs. An attacker could use this issue to redirect users to arbitrary URLs.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04 LTS python3-flask-security 4.0.0-1ubuntu0.1
Ubuntu 20.04 LTS python3-flask-security 1.7.5-2ubuntu0.20.04.1
Ubuntu 18.04 LTS python3-flask-security 1.7.5-2ubuntu0.18.04.1~esm1 Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References: https://ubuntu.com/security/notices/USN-6792-1 <https://ubuntu.com/security/notices/USN-6792-1> CVE-2021-23385
Package Information: https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu0.1 <https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu0.1> https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu0.20.04.1 <https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu0.20.04.1>
--------------dRhlZ0o0PLD8swMFtguNlgNw Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html> <html> <head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF= -8"> </head> <body> <p><span class=3D"im">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br> Ubuntu Security Notice USN-6792-1<br> May 28, 2024<br> <br> flask-security vulnerability<br> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D = =3D=3D=3D=3D=3D=3D<br> <br> A security issue affects these releases of Ubuntu and its derivatives:<br> <br> - Ubuntu 22.04 LTS<br> - Ubuntu 20.04 LTS<br> - Ubuntu 18.04 LTS<br> <br> Summary:<br> <br> Flask-Security could be made to bypass URL validation and redirect to arbitary URL.<br> <br> Software Description:<br> - flask-security: Simple security for Flask apps (Python 3)<br> <br> Details:<br> <br> </span> Naom Moshe discovered that Flask-Security incorrectly validated URLs. An attacker could use this issue to redirect users to arbitrary URLs.</p> <div class=3D"yj6qo ajU"> <div id=3D":19p" class=3D"ajR" role=3D"button" tabindex=3D"0" aria-label=3D"Hide expanded content" aria-expanded=3D"true" data-tooltip=3D"Hide expanded content"><img class=3D"ajT" src=3D"https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></di= v> </div> <div class=3D"adm"></div> <br> <br> Update instructions:<br> <br> The problem can be corrected by updating your system to the following<br> package versions:<br> <br> Ubuntu 22.04 LTS<br> =C2=A0 python3-flask-security=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 4.0.0= -1ubuntu0.1<br> <br> Ubuntu 20.04 LTS<br> =C2=A0 python3-flask-security=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1.7.5= -2ubuntu0.20.04.1<br> <br> Ubuntu 18.04 LTS<br> =C2=A0 python3-flask-security=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1.7.5= -2ubuntu0.18.04.1~esm1<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Available with Ubuntu P= ro<br> <br> In general, a standard system update will make all the necessary changes.<br> <br> References:<br> =C2=A0 <a href=3D"https://ubuntu.com/security/notices/USN-6792-1" rel=3D"noreferrer" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://ubuntu.com= /security/notices/USN-6792-1&source=3Dgmail&ust=3D171699899378800 = 0&usg=3DAOvVaw38qg4UG_PLOri3wureOFZk">https://ubuntu.com/security/no<= wbr>tices/USN-6792-1</a><br> =C2=A0 CVE-2021-23385<br> <br> Package Information:<br> =C2=A0 <a href=3D"https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu= 0.1" rel=3D"noreferrer" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://launchpad.= net/ubuntu/%2Bsource/flask-security/4.0.0-1ubuntu0.1&source=3Dgmail&a = mp;ust=3D1716998993788000&usg=3DAOvVaw1_QMlj5nGhX9nCnlEYrtzJ">https:/= /launchpad.net/ubuntu/+<wbr>source/flask-security/4.0.0-1u<wbr>buntu0.1</ = a><br> =C2=A0 <a href=3D"https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu= 0.20.04.1" rel=3D"noreferrer" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://launchpad.= net/ubuntu/%2Bsource/flask-security/1.7.5-2ubuntu0.20.04.1&source=3Dg= mail&ust=3D1716998993788000&usg=3DAOvVaw2_jLAE6TtdUZDVAxWr7mt9">h = ttps://launchpad.net/ubuntu/+<wbr>source/flask-security/1.7.5-2u<wbr>bunt = u0.20.04.1</a> </body> </html>
--------------dRhlZ0o0PLD8swMFtguNlgNw--
--------------Z6D0AK5V3SgYzQRAnDrWwSJr--
--------------fzmKhIZjflq6u5CXb3x0Qt08 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc"
-----BEGIN PGP SIGNATURE-----
wsD5BAABCAAjFiEE26yozGlLvY8PLmS9C+du+fOjiEwFAmZWCsMFAwAAAAAACgkQC+du+fOjiEy/ XQv/WuT6uIVTXrVC0G9+nCEqHCiKXOuws4od9LPRnYjgM/dtxN+VqhOMQnqXQevESn8o67MyILXa Ku0aSFrtHKZsiEqqCLM815gnZRSjFRJfr+SSrjmKwzkc0IfX12veAcAHhrPhK0Wr9LmLHxp+zEsX kUZgN3GqnFDZq2R7YjwDwpGlwzq+uBqsv9S89QvTeAvTsCL2HQOu0fwpjHyl3pvx9RgK09F9e6kV 7fRJn+AyHvmZ9dRt2hMI1ipwtyDTSZ149RhFN7FpYwRWMnkiLevwYCwRTcHfS2qP6qHd4sU41snJ UFDuDWvooRQ1mYTSdQ8oW1ENVp0d8xkRYU1/qcBGwtnFnis6VouUkvEYyWuBRX+dkkrVIbe4uqDf uTrL4Vg7faXpTMYBmaDYq0/IfjPlkmTi6Ng++KT9gBV8LVfGv+Zyb2qAjDz34qmybMh/OMMr56v0 O4XXvJVHXu9Lz0Nr8CrxyWeutxGSzKzQdUsmKeeWPe0uIchoTQvl+NuSAvSv =nsP/ -----END PGP SIGNATURE-----
--------------fzmKhIZjflq6u5CXb3x0Qt08--
--===============1458730279387367104== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
Cg==
--===============1458730279387367104==--
|
|
|
|