python-flask-0.10.1-7.el7
エラータID: AXSA:2023-5938:01
リリース日:
2023/06/09 Friday - 01:06
題名:
python-flask-0.10.1-7.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Flask には、特定の条件を満たした場合、あるクライアント宛のデータ
を含むレスポンスが他のクライアントに送信されてしまう問題があるため、
リモートの攻撃者により、細工されたリクエストを介して、情報漏洩を
可能とする脆弱性が存在します。(CVE-2023-30861)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-30861
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
追加情報:
N/A
ダウンロード:
SRPMS
- python-flask-0.10.1-7.el7.src.rpm
MD5: f2191151ea2df08adb558c1d65e3be0b
SHA-256: e5a0ef35e6ad49d402c3b824286f43737bd14171d3854df3cae59db5dcf21899
Size: 547.61 kB
Asianux Server 7 for x86_64
- python-flask-0.10.1-7.el7.noarch.rpm
MD5: 2f65f6575dcbb1fe31d1ad2b88e7e57d
SHA-256: a0d8f650e32fab22b08c65e5337db7adc88aa5cb800ed86c7a23c2dda3f75912
Size: 207.35 kB
English