python-flask-0.10.1-7.el7

Flask is a lightweight but extensible web development framework for Python based
on the Werkzeug WSGI toolkit, and the Jinja 2 template engine.

Security Fix(es):

* flask: Possible disclosure of permanent session cookie due to missing Vary:
Cookie header (CVE-2023-30861)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2023-30861
Flask is a lightweight WSGI web application framework. When all of the following
conditions are met, a response containing data intended for one client may be
cached and subsequently sent by the proxy to other clients. If the proxy also
caches `Set-Cookie` headers, it may send one client's `session` cookie to other
clients. The severity depends on the application's use of the session and the
proxy's behavior regarding cookies. The risk depends on all these conditions
being met. 1. The application must be hosted behind a caching proxy that does
not strip cookies or ignore responses with cookies. 2. The application sets
`session.permanent = True` 3. The application does not access or modify the
session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled
(the default). 5. The application does not set a `Cache-Control` header to
indicate that a page is private or should not be cached. This happens because
vulnerable versions of Flask only set the `Vary: Cookie` header when the session
is accessed or modified, not when it is refreshed (re-sent to update the
expiration) without being accessed or modified. This issue has been fixed in
versions 2.3.2 and 2.2.5.