python-flask-cors (3.0.9-2+deb11u1) bullseye-security; urgency=medium

  * Non-maintainer upload by the Debian LTS team.
  * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764).
    - An attacker can inject fake log entries into the log file by sending a
      specially crafted GET request containing a CRLF sequence in the request
      path, allowing them to corrupt log files, potentially covering tracks of
      other attacks, confusing log post-processing tools, and forging log
      entries.
  * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988).
    - The request path matching is case-insensitive. This results in a mismatch
      because paths in URLs are case-sensitive, but the regex matching treats
      them as case-insensitive. This misconfiguration can lead to significant
      security vulnerabilities, allowing unauthorized origins to access paths
      meant to be restricted, resulting in data exposure and potential leaks.
  * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to
    fix CVE-2024-6839 (closes: #1100988).
    - There is an improper regex path matching vulnerability. The plugin
      prioritizes longer regex patterns over more specific ones when matching
      paths, which can lead to less restrictive CORS policies being applied to
      sensitive endpoints. This mismatch in regex pattern priority allows
      unauthorized cross-origin access to sensitive data or functionality,
      potentially exposing confidential information and increasing the risk of
      unauthorized actions by malicious actors.
   d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988).
   - The request.path is passed through the unquote_plus function, which
     converts the '+' character to a space ' '. This behavior leads to
     incorrect path normalization, causing potential mismatches in CORS
     configuration. As a result, endpoints may not be matched correctly to
     their CORS settings, leading to unexpected CORS policy application. This
     can cause unauthorized cross-origin access or block valid requests,
     creating security vulnerabilities and usability issues.

 -- Daniel Leidert <dleidert@debian.org>  Sat, 31 May 2025 03:40:23 +0200

python-flask-cors (3.0.9-2) unstable; urgency=medium

  * Team upload.

  [ Bastian Germann ]
  * d/copyright: Fix superfluous licence.

 -- Louis-Philippe Véronneau <pollo@debian.org>  Fri, 18 Dec 2020 11:06:56 -0500

python-flask-cors (3.0.9-1) unstable; urgency=medium

  * Team upload.

  [ Louis-Philippe Véronneau ]
  * d/gbp.conf: use team's branch names and migrate to debian/master.
  * d/control: upgrade to dh13.
  * d/control: update Standards-Version to 4.5.1. Add Rules-Requires-Root.
  * d/control: the team is not called the Python Team.
  * d/tests: add autopkgtest.

  [ Ondřej Nový ]
  * Bump Standards-Version to 4.4.1.
  * d/control: Update Vcs-* fields with new Debian Python Team Salsa
    layout.

  [ Bastian Germann ]
  * Add gbp.conf
  * New upstream version 3.0.9 (Closes: #950058, #969362)

 -- Louis-Philippe Véronneau <pollo@debian.org>  Fri, 18 Dec 2020 10:54:57 -0500

python-flask-cors (3.0.8-2) unstable; urgency=medium

  [ Ondřej Nový ]
  * Bump Standards-Version to 4.4.0.

  [ Stewart Ferguson ]
  * Bumping version to facilitate source-only upload

 -- Stewart Ferguson <stew@ferg.aero>  Tue, 30 Jul 2019 19:11:58 +0200

python-flask-cors (3.0.8-1) unstable; urgency=medium

  * Upstream release 3.0.8
  * Bumping standards-version 4.2.1 -> 4.3.0 (no changes required)
  * Bumping compat 11 -> 12 and replacing d/compat with newer build-dep
  * Adding d/upstream/metadata

 -- Stewart Ferguson <stew@ferg.aero>  Sun, 09 Jun 2019 09:29:19 +0200

python-flask-cors (3.0.7-1) unstable; urgency=medium

  * Initial release (Closes: #915789)

 -- Stewart Ferguson <stew@ferg.aero>  Wed, 05 Dec 2018 21:51:05 +0100
