Bug 31069

Summary: python-flask-security new security issue CVE-2021-23385
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, joequant, qa-bugs, smelror, sysadmin-bugs, tarazed25, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-flask-security-3.0.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-11-02 21:57:07 CET 
SUSE has issued an advisory on November 1:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012786.html

Note that this software is unmaintained upstream.  Apparently it has been replaced by flask-security-too (which is also vulnerable to this issue, where it is known as CVE-2021-32618).

So this package should be dropped or replaced in Cauldron as well.

Mageia 8 is also affected.
David Walser 2022-11-02 21:57:44 CET

Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9
Whiteboard: (none) => MGA8TOO

Comment 2 Lewis Smith 2022-11-03 20:14:19 CET 
Well, immediately, this needs addressing.
Assigning globally as various packagers have dealt with this package.
CC'ing Joseph who is registered maintainer, in case you want to do this.

Have noted to drop in the TRACKER bug 30163.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant

Comment 3 Lewis Smith 2022-11-03 20:17:15 CET 
Correcting assignnment to Python maintainers.

Assignee: pkg-bugs => python

Comment 4 David Walser 2022-11-04 17:27:30 CET 
openSUSE advisory for python-flask-security-too from November 3:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PF7CUVFV2HIA3SO656CPSXCDYD5VGKAH/
Comment 5 papoteur 2023-02-02 10:54:18 CET 
Removed from cauldron.
https://svnweb.mageia.org/packages/obsolete/python-flask-security/

Version: Cauldron => 8
CC: (none) => yves.brungard_mageia
Whiteboard: MGA8TOO => (none)

papoteur 2023-02-02 10:54:50 CET

Target Milestone: Mageia 9 => ---
Priority: release_blocker => High

Comment 6 papoteur 2023-02-02 11:29:29 CET 
Applying a patch from opensuse.
https://build.opensuse.org/package/view_file/SUSE:SLE-15-SP1:Update/python-Flask-Security/fix-open-redirect.patch?expand=1

python3-flask-security-3.0.0-1.1.mga8.noarch.rpm

Source:
python-flask-security-3.0.0-1.1.mga8.src.rpm

Assignee: python => qa-bugs

Comment 7 David Walser 2023-02-02 15:34:21 CET 
(In reply to papoteur from comment #5)
> Removed from cauldron.
> https://svnweb.mageia.org/packages/obsolete/python-flask-security/

No, it's still in Cauldron:
http://mirrors.kernel.org/mageia/distrib/cauldron/SRPMS/core/release/python-flask-security-3.0.0-5.mga9.src.rpm

Priority: High => release_blocker
Assignee: qa-bugs => python
Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO
CC: (none) => qa-bugs

Comment 8 Stig-Ørjan Smelror 2023-03-16 14:32:16 CET 
This package has successfully been obsoleted in Cauldron.

Closing as fixed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED
CC: (none) => smelror

Comment 9 papoteur 2023-03-16 15:48:05 CET 
The Mageia 8 fix is not yet validated.

Priority: release_blocker => Normal
Resolution: FIXED => (none)
Version: Cauldron => 8
Status: RESOLVED => REOPENED
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 10 David Walser 2023-03-16 16:11:58 CET 
Mageia 8 update in Comment 6.

Source RPM: python-flask-security-3.0.0-5.mga9.src.rpm => python-flask-security-3.0.0-1.mga8.src.rpm

Comment 11 Len Lawrence 2023-03-20 16:51:40 CET 
Mageia8, x86_64

Updated the package via qarepo -> MageiaUpdate.
Tried the tutorial at:
https://flask-security.readthedocs.io/en/3.0.0/quickstart.html
but did not get very far with it.

$ python alchemy.py > session
/usr/lib/python3.8/site-packages/flask_sqlalchemy/__init__.py:793: FSADeprecationWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future.  Set it to True or False to suppress this warning.
  warnings.warn(FSADeprecationWarning(
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
 * Restarting with stat
/usr/lib/python3.8/site-packages/flask_sqlalchemy/__init__.py:793: FSADeprecationWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future.  Set it to True or False to suppress this warning.
  warnings.warn(FSADeprecationWarning(
 * Debugger is active!
 * Debugger PIN: 129-755-916

This runs and  shows a login at localhost:5000/ in a browser, which asks for email address and login password.  No idea what it is looking for.   Provided email address then tried gmail password which failed then my local login password.  Both resulted in user not identified.  I would guess that this is working as intended.

Giving this a tentative OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 12 Thomas Andrews 2023-03-22 00:58:22 CET 
Out of my element, but a wild guess would be that the gmail password failed because Gmail no longer allows "insecure third party apps" to log onto the server with a simple password. The email part of the tutorial sounded to me like it was for some kind of internal email, not something like gmail, anyway

Of course, I could easily be completely wrong. As I said, it's out of my element.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-24 00:02:10 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 13 Mageia Robot 2023-03-24 06:57:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0105.html

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED