Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Update dependency flask to v2.2.5 [SECURITY] #88

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore: Update dependency flask to v2.2.5 [SECURITY] #88

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 28, 2023
edited

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
flask (changelog) ==2.2.2 -> ==2.2.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-30861

When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
  2. The application sets session.permanent = True.
  3. The application does not access or modify the session at any point during a request.
  4. SESSION_REFRESH_EACH_REQUEST is enabled (the default).
  5. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.

This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.

Release Notes

pallets/flask (flask)

v2.2.5

Compare Source

Released 2023-05-02

  • Update for compatibility with Werkzeug 2.3.3.
  • Set Vary: Cookie header when the session is accessed, modified, or refreshed.

v2.2.4

Compare Source

Released 2023-04-25

  • Update for compatibility with Werkzeug 2.3.

v2.2.3

Compare Source

Released 2023-02-15

  • Autoescape is enabled by default for .svg template files. :issue:4831
  • Fix the type of template_folder to accept pathlib.Path. :issue:4892
  • Add --debug option to the flask run command. :issue:4777

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner May 28, 2023 09:55
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.2 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] May 28, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 246e723 to b8a9fb9 Compare May 28, 2023 12:42
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.2 [SECURITY] Jun 18, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from b8a9fb9 to 3295b3c Compare June 18, 2023 08:01
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.2 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Jun 18, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 3295b3c to f77e59f Compare June 18, 2023 10:06
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.2 [SECURITY] Aug 9, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from f77e59f to dd46e0a Compare August 9, 2023 14:37
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.2 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Aug 9, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from dd46e0a to d333cfc Compare August 9, 2023 17:43
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Sep 19, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from d333cfc to 41824eb Compare September 19, 2023 15:01
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Sep 19, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 41824eb to 8c56581 Compare September 19, 2023 19:08
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Sep 26, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 8c56581 to a406811 Compare September 26, 2023 12:28
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Sep 26, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from a406811 to d3e0594 Compare September 26, 2023 17:21
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Nov 16, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from d3e0594 to 5b585b9 Compare November 16, 2023 12:04
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Nov 16, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 5b585b9 to 91fd5b0 Compare November 16, 2023 17:10
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Dec 3, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 91fd5b0 to 54fc60b Compare December 3, 2023 12:08
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Dec 3, 2023
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 54fc60b to b99de08 Compare December 3, 2023 16:24
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Jan 4, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch 2 times, most recently from de56ae3 to 6351ed8 Compare January 4, 2024 19:39
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Apr 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from aa4f2cb to 4ff6e1a Compare April 14, 2024 13:51
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Apr 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 4ff6e1a to 17212b4 Compare May 1, 2024 14:38
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] May 1, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 17212b4 to b5c2df5 Compare May 1, 2024 16:46
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] May 1, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from b5c2df5 to fe24d67 Compare May 9, 2024 08:47
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] May 9, 2024
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] May 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch 2 times, most recently from f5961d7 to 10772c1 Compare May 15, 2024 17:14
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] May 15, 2024
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] May 16, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 10772c1 to f7b4fdd Compare May 16, 2024 00:42
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from f7b4fdd to 72d9c17 Compare June 27, 2024 11:10
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Jun 27, 2024
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Jun 27, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 72d9c17 to b3de3c3 Compare June 27, 2024 14:25
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from b3de3c3 to 60f149d Compare July 14, 2024 08:01
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Jul 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 60f149d to 3783b26 Compare July 14, 2024 11:56
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Jul 14, 2024
@renovate renovate bot changed the title chore: Update dependency flask to v2.2.5 [SECURITY] chore: Update dependency flask to v2.3.3 [SECURITY] Jul 28, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 3783b26 to 9822ab7 Compare July 28, 2024 14:31
@renovate renovate bot changed the title chore: Update dependency flask to v2.3.3 [SECURITY] chore: Update dependency flask to v2.2.5 [SECURITY] Jul 28, 2024
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 9822ab7 to 05b0407 Compare July 28, 2024 17:12
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from 05b0407 to d74c38e Compare August 6, 2024 16:13
@renovate renovate bot force-pushed the renovate/pypi-flask-vulnerability branch from d74c38e to 9d0bfba Compare August 7, 2024 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants