From f88706fe2f81f7ec6c98e6313acbefc89370bcb5 Mon Sep 17 00:00:00 2001 From: Soumya Sambu Date: Tue, 3 Sep 2024 12:52:59 +0000 Subject: python3-flask-cors: Fix CVE-2024-6221 A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6221 Upsteam-Patch: https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb') diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb index 1d0d86b4e7..77b51c5515 100644 --- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb @@ -9,6 +9,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce" PYPI_PACKAGE = "Flask-Cors" +SRC_URI += " \ + file://CVE-2024-6221.patch \ +" + SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0" inherit pypi setuptools3 -- cgit v1.2.3-54-g00ecf