エラータID: AXSA:2023-5938:01

Release date: 
Friday, June 9, 2023 - 01:06
Affected Channels: 
Asianux Server 7 for x86_64

Flask is a lightweight but extensible web development framework for Python based
on the Werkzeug WSGI toolkit, and the Jinja 2 template engine.

Security Fix(es):

* flask: Possible disclosure of permanent session cookie due to missing Vary:
Cookie header (CVE-2023-30861)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Flask is a lightweight WSGI web application framework. When all of the following
conditions are met, a response containing data intended for one client may be
cached and subsequently sent by the proxy to other clients. If the proxy also
caches `Set-Cookie` headers, it may send one client's `session` cookie to other
clients. The severity depends on the application's use of the session and the
proxy's behavior regarding cookies. The risk depends on all these conditions
being met. 1. The application must be hosted behind a caching proxy that does
not strip cookies or ignore responses with cookies. 2. The application sets
`session.permanent = True` 3. The application does not access or modify the
session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled
(the default). 5. The application does not set a `Cache-Control` header to
indicate that a page is private or should not be cached. This happens because
vulnerable versions of Flask only set the `Vary: Cookie` header when the session
is accessed or modified, not when it is refreshed (re-sent to update the
expiration) without being accessed or modified. This issue has been fixed in
versions 2.3.2 and 2.2.5.


Update packages.

Additional Info: 



  1. python-flask-0.10.1-7.el7.src.rpm
    MD5: f2191151ea2df08adb558c1d65e3be0b
    SHA-256: e5a0ef35e6ad49d402c3b824286f43737bd14171d3854df3cae59db5dcf21899
    Size: 547.61 kB

Asianux Server 7 for x86_64
  1. python-flask-0.10.1-7.el7.noarch.rpm
    MD5: 2f65f6575dcbb1fe31d1ad2b88e7e57d
    SHA-256: a0d8f650e32fab22b08c65e5337db7adc88aa5cb800ed86c7a23c2dda3f75912
    Size: 207.35 kB