python-Flask-Security-Too

pool/python-Flask-Security-Too

SHA256

Fork 1

Commit Graph

Author	SHA256	Message	Date
Antonio Larrosa	74db06d2d0	Accepting request 900215 from home:alarrosa:branches:devel:languages:python:flask - Update to 3.4.5 * Security Vulnerability Fix. Two CSRF vulnerabilities were reported: qrcode and login. This release fixes the more severe of the 2 - the /login vulnerability. The QRcode issue has a much smaller risk profile since a) it is only for two-factor authentication using an authenticator app b) the qrcode is only available during the time the user is first setting up their authentication app. The QRcode issue has been fixed in 4.0. * Fixed - GET on /login and /change could return the callers authentication_token. This is a security concern since GETs don't have CSRF protection. This bug was introduced in 3.3.0. * Backwards Compatibility Concerns. Fix CSRF vulnerability on /login and /change that could return the callers authentication token. Now, callers can only get the authentication token on successful POST calls. - Update to 3.4.4 * Fix 3 regressions and a couple other bugs * Fixed - Basic Auth broken. When the unauthenticated handler was changed to provide a more uniform/consistent response - it broke using Basic Auth from a browser, since it always redirected rather than returning 401. Now, if the response headers contain WWW-Authenticate (which is set if basic @auth_required method is used), a 401 is returned. See below for backwards compatibility concerns. - As part of figuring out issue 359 - a redirect loop was found. In release 3.3.0 code was put in to redirect to :py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was called and the caller was already authenticated. The method OBS-URL: https://build.opensuse.org/request/show/900215 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=12	2021-07-08 06:18:37 +00:00
Tomáš Chvátal	01ef32b8cc	Accepting request 805559 from home:alarrosa:branches:devel:languages:python:flask - Decrease dependencies which aren't really required so we can build in SLE/Leap: * Werkzeug 0.15.5 requirement decreased to 0.14.1 * cryptography 2.3.1 requirement decreased to 2.1.4 * bcrypt 3.1.5 requirement decreased to 3.1.4 * peewee 3.11.2 requirement decreased to 3.7.1 * Remove python-pony requirement - Add patch that applies previous dependency changes: * fix-dependencies.patch OBS-URL: https://build.opensuse.org/request/show/805559 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=8	2020-05-14 10:21:18 +00:00

Author

SHA256

Message

Date

Antonio Larrosa

74db06d2d0

Accepting request 900215 from home:alarrosa:branches:devel:languages:python:flask

- Update to 3.4.5
  * Security Vulnerability Fix. Two CSRF vulnerabilities were
    reported: qrcode and login. This release fixes the more severe
    of the 2 - the /login vulnerability. The QRcode issue has a
    much smaller risk profile since a) it is only for two-factor
    authentication using an authenticator app b) the qrcode is only
    available during the time the user is first setting up their
    authentication app. The QRcode issue has been fixed in 4.0.
  * Fixed
    - GET on /login and /change could return the callers
      authentication_token. This is a security concern since GETs
      don't have CSRF protection. This bug was introduced in 3.3.0.
  * Backwards Compatibility Concerns. Fix CSRF vulnerability on
    /login and /change that could return the callers authentication
    token. Now, callers can only get the authentication token on
    successful POST calls.
- Update to 3.4.4
  * Fix 3 regressions and a couple other bugs
  * Fixed
    - Basic Auth broken. When the unauthenticated handler was
      changed to provide a more uniform/consistent response - it
      broke using Basic Auth from a browser, since it always
      redirected rather than returning 401. Now, if the response
      headers contain WWW-Authenticate (which is set if basic
      @auth_required method is used), a 401 is returned. See below
      for backwards compatibility concerns.
    - As part of figuring out issue 359 - a redirect loop was
      found. In release 3.3.0 code was put in to redirect to
      :py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was
      called and the caller was already authenticated. The method

OBS-URL: https://build.opensuse.org/request/show/900215
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=12

2021-07-08 06:18:37 +00:00

Tomáš Chvátal

01ef32b8cc

Accepting request 805559 from home:alarrosa:branches:devel:languages:python:flask

- Decrease dependencies which aren't really required so we can build
  in SLE/Leap:
  * Werkzeug 0.15.5 requirement decreased to 0.14.1
  * cryptography 2.3.1 requirement decreased to 2.1.4
  * bcrypt 3.1.5 requirement decreased to 3.1.4
  * peewee 3.11.2 requirement decreased to 3.7.1
  * Remove python-pony requirement
- Add patch that applies previous dependency changes:
  * fix-dependencies.patch

OBS-URL: https://build.opensuse.org/request/show/805559
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=8

2020-05-14 10:21:18 +00:00

2 Commits