Bug 31953

Summary: python-flask new security issue CVE-2023-30861
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-flask-2.2.3-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-05-22 14:58:57 CEST
SUSE has issued an advisory today (May 22):
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014935.html

The issue is fixed upstream in 2.2.5:
https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq

Mageia 8 is also affected.
David Walser 2023-05-22 14:59:25 CEST

Status comment: (none) => Fixed upstream in 2.2.5
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-05-29 21:32:29 CEST
Assigning to the Python stack maintainers.

Assignee: bugsquad => python

Comment 2 papoteur 2023-06-01 11:58:13 CEST
Cauldron updated to 2.3.2
Patch applied to 1.1.2 in Mageia 8
https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965

python3-flask-1.1.2-1.1.mga8
Src:
python-flask-1.1.2-1.1.mga8

CC: (none) => yves.brungard_mageia
Version: Cauldron => 8
Assignee: python => qa-bugs
Status comment: Fixed upstream in 2.2.5 => (none)

Comment 3 Herman Viaene 2023-06-02 10:37:12 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No wiki, no previous updates. Tried to find some dependent package that I have any feeling for and found pgadmin4.
Launched that one under trace and operated it a little. Found no refs to python3-flask (to other python3 loads of them.
This is developers area, so OK on clean install as with others, since nothing seems to suffer from this update.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-06-02 13:23:47 CEST
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK => MGA8-64-OK

Dave Hodgins 2023-06-08 19:14:26 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-06-08 21:36:20 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0193.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED