[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1010083/flask

Salvatore Bonaccorso carnil at debian.org
Wed Jul 17 21:52:44 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d5b23994 by Salvatore Bonaccorso at 2019-07-17T20:49:50Z
Add CVE-2019-1010083/flask

Only thing which is known so far that it is 'fixed in the 1.0 release'.
The CVE was assigned by the former DWF project, but apart
https://www.palletsprojects.com/blog/flask-1-0-released/ there is no
reference given. The upstream release information notes:

	JSON Security Fix

        Flask previously decoded incoming JSON bytes using the content
        type of the request. Although JSON should only be encoded as UTF-
        8, Flask was more lenient. However, Python includes non-text
        related encodings that could result in unexpected memory use by
        a request.

        Flask will now detect the encoding of incoming JSON data as one
        of the supported UTF encodings, and will not allow arbitrary
        encodings from the request.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11136,7 +11136,8 @@ CVE-2019-1010085
 CVE-2019-1010084 (Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect  ...)
 	TODO: check
 CVE-2019-1010083 (The Pallets Project Flask before 1.0 is affected by: unexpected memory ...)
-	TODO: check
+	- flask 1.0.2-1
+	TODO: check fixing commit(s)
 CVE-2019-1010082
 	RESERVED
 CVE-2019-1010081



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5b23994c8b1d8052161483f799618838f9c4769

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5b23994c8b1d8052161483f799618838f9c4769
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190717/1b85f66e/attachment.html>

More information about the debian-security-tracker-commits mailing list