chore(deps): update dependency flask to v2.2.5 [security]#14249
chore(deps): update dependency flask to v2.2.5 [security]#14249renovate-bot wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Code Review
This pull request upgrades the Flask dependency to version 2.2.5 across multiple requirements files. However, upgrading Flask in the appengine/flexible/websockets directory will break the application due to an incompatibility between Flask 2.0+ and the unmaintained Flask-Sockets library. It is recommended to exclude this directory from the upgrade or migrate to a maintained alternative like Flask-Sock.
| @@ -1,4 +1,4 @@ | |||
| Flask==1.1.4 # it seems like Flask-sockets doesn't play well with 2.0+ | |||
| Flask==2.2.5 # it seems like Flask-sockets doesn't play well with 2.0+ | |||
There was a problem hiding this comment.
Upgrading Flask to 2.2.5 in this directory will break the application. As noted in the inline comment, Flask-Sockets is incompatible with Flask 2.0+ because it relies on internal APIs that were removed or changed. Since Flask-Sockets is unmaintained, you should exclude this directory from the Flask upgrade or migrate the sample to a maintained library like Flask-Sock before upgrading.
Flask==1.1.4 # it seems like Flask-sockets doesn't play well with 2.0+
This PR contains the following updates:
==2.2.2→==2.2.5==1.1.4→==2.2.5Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
CVE-2023-30861 / GHSA-m2qf-hxjv-5gpq
More information
Details
When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches
Set-Cookieheaders, it may send one client'ssessioncookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.session.permanent = True.SESSION_REFRESH_EACH_REQUESTis enabled (the default).Cache-Controlheader to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the
Vary: Cookieheader when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pallets/flask (Flask)
v2.2.5Compare Source
Released 2023-05-02
Vary: Cookieheader when the session is accessed, modified, or refreshed.v2.2.4Compare Source
Released 2023-04-25
v2.2.3Compare Source
Released 2023-02-15
.svgtemplate files. :issue:4831template_folderto acceptpathlib.Path. :issue:4892--debugoption to theflask runcommand. :issue:4777Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.