[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106665: unblock: flask/3.1.1-1

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: flask@packages.debian.org
Control: affects -1 + src:flask
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package flask

[ Reason ]
The current version 3.1.0-2 of flask in Debian testing is affected by
the CVE issue CVE-2025-47278
(https://security-tracker.debian.org/tracker/CVE-2025-47278).
Upstream released version 3.1.1 which is fixing this issue. This version is
packaged as 3.1.1-1 and available in unstable.

[ Impact ]
Users are might get affected by the CVE issue due the wrong handling of
fallback rolling key configuration in Flask in 3.1.0-2.

[ Tests ]
The src:flask package comes with tests which get executed at build time but
also by the autopkgtest setup.
No side effects are vissible in these tests.

[ Risks ]
The code changes have only an impact to the Flask framework and projects
of users that are build on top of the framework. The code changes in
Flask regarding fixing the CVE arent't that big and can be viewed in this
commit:
https://github.com/pallets/flask/commit/73d6504063bfa00666a92b07a28aaf906c532f09

Besides that one commit upstream did also made modifications to test
file configuration, documentation files and also did typing annotation
related changes.

The full set of modifications is vissible here:
https://github.com/pallets/flask/compare/3.1.0...3.1.1

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing
      (upstream changes are cut off)

diff -Nru flask-3.1.0/debian/changelog flask-3.1.1/debian/changelog
--- flask-3.1.0/debian/changelog	2024-11-25 19:56:47.000000000 +0200
+++ flask-3.1.1/debian/changelog	2025-05-17 10:15:33.000000000 +0200
@@ -1,3 +1,22 @@
+flask (3.1.1-1) unstable; urgency=medium
+
+  * Team upload
+  * [69dc41c] New upstream version 3.1.1
+    Fixed CVE issue in upstream version 3.1.1:
+    CVE-2025-47278: Fix signing key selection order when key rotation is
+                    enabled via SECRET_KEY_FALLBACKS
+    (Closes: #1105794)
+  * [50f7161] Rebuild patch queue drom patch-queue branch
+    Adjusted/refreshed patch:
+    docs-Use-intersphix-with-Debian-packages.patch
+  * [e3fc0e6] d/control: Bump Standards-Version to 4.7.2
+    No further changes needed.
+  * [67c8d12] d/copyright: Update year data
+  * [c895c07] d/rules: Drop removal of non existing folder anymore
+  * [c5ee3a5] d/rules: Remove Readme.md file from module folder
+
+ -- Carsten Schoenert <c.schoenert@t-online.de>  Sat, 17 May 2025 10:15:33 +0200
+
 flask (3.1.0-2) unstable; urgency=medium
 
   * Team upload
diff -Nru flask-3.1.0/debian/control flask-3.1.1/debian/control
--- flask-3.1.0/debian/control	2024-11-25 19:56:47.000000000 +0200
+++ flask-3.1.1/debian/control	2025-05-17 09:19:36.000000000 +0200
@@ -29,7 +29,7 @@
  python3-sphinx-issues <!nodoc>,
  python3-sphinx-tabs <!nodoc>,
  python3-werkzeug (>= 3.1.0) <!nocheck>,
-Standards-Version: 4.7.0
+Standards-Version: 4.7.2
 Vcs-Git: https://salsa.debian.org/python-team/packages/flask.git
 Vcs-Browser: https://salsa.debian.org/python-team/packages/flask
 Homepage: https://github.com/pallets/flask
diff -Nru flask-3.1.0/debian/copyright flask-3.1.1/debian/copyright
--- flask-3.1.0/debian/copyright	2024-11-25 19:56:47.000000000 +0200
+++ flask-3.1.1/debian/copyright	2025-05-17 09:19:36.000000000 +0200
@@ -3,8 +3,8 @@
 Source: https://github.com/pallets/flask
 
 Files: *
-Copyright: (c) 2010-2024, Pallets team and community contributors
-           (c) 2010-2024, David Lord (davidism)
+Copyright: (c) 2010-2025, Pallets team and community contributors
+           (c) 2010-2025, David Lord (davidism)
            (c) 2010-2023, Adrian Mönnich (ThiefMaster)
            (c) 2010-2023, Armin Ronacher (mitsuhiko)
            (c) 2010-2023, Marcus Unterwaditzer (untitaker)
@@ -14,7 +14,7 @@
 Copyright: (c) 2010-2016, Piotr Ożarowski <piotr@debian.org>
            (c) 2016-2020, Ondřej Nový <onovy@debian.org>
 		   (c) 2022, Thomas Goirand <zigo@debian.org>
-		   (c) 2023-2024, Carsten Schoenert <c.schoenert@t-online.de>
+		   (c) 2023-2025, Carsten Schoenert <c.schoenert@t-online.de>
 License: BSD-3-clause
 
 License: BSD-3-clause
diff -Nru flask-3.1.0/debian/patches/docs-Use-intersphix-with-Debian-packages.patch flask-3.1.1/debian/patches/docs-Use-intersphix-with-Debian-packages.patch
--- flask-3.1.0/debian/patches/docs-Use-intersphix-with-Debian-packages.patch	2024-11-25 19:56:47.000000000 +0200
+++ flask-3.1.1/debian/patches/docs-Use-intersphix-with-Debian-packages.patch	2025-05-17 09:10:17.000000000 +0200
@@ -8,11 +8,11 @@
  1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/docs/conf.py b/docs/conf.py
-index fc06a86..2b68d29 100644
+index d80d52f..1af98de 100644
 --- a/docs/conf.py
 +++ b/docs/conf.py
-@@ -28,14 +28,14 @@ extlinks = {
-     "pr": ("https://github.com/pallets/flask/pull/%s";, "#%s"),
+@@ -29,14 +29,14 @@ extlinks = {
+     "ghsa": ("https://github.com/pallets/flask/security/advisories/GHSA-%s";, "GHSA-%s"),
  }
  intersphinx_mapping = {
 -    "python": ("https://docs.python.org/3/";, None),
diff -Nru flask-3.1.0/debian/patches/Don-t-require-sphinxcontrib.log_cabinet-extension.patch flask-3.1.1/debian/patches/Don-t-require-sphinxcontrib.log_cabinet-extension.patch
--- flask-3.1.0/debian/patches/Don-t-require-sphinxcontrib.log_cabinet-extension.patch	2024-11-25 19:56:47.000000000 +0200
+++ flask-3.1.1/debian/patches/Don-t-require-sphinxcontrib.log_cabinet-extension.patch	2025-05-17 09:10:17.000000000 +0200
@@ -8,7 +8,7 @@
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/docs/conf.py b/docs/conf.py
-index 25b8f00..e89d728 100644
+index eca4f81..fd41f6f 100644
 --- a/docs/conf.py
 +++ b/docs/conf.py
 @@ -16,9 +16,9 @@ extensions = [
diff -Nru flask-3.1.0/debian/patches/Remove-eticalads-in-doc.patch flask-3.1.1/debian/patches/Remove-eticalads-in-doc.patch
--- flask-3.1.0/debian/patches/Remove-eticalads-in-doc.patch	2024-11-25 19:56:47.000000000 +0200
+++ flask-3.1.1/debian/patches/Remove-eticalads-in-doc.patch	2025-05-17 09:10:17.000000000 +0200
@@ -11,10 +11,10 @@
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/docs/conf.py b/docs/conf.py
-index e89d728..fc06a86 100644
+index fd41f6f..d80d52f 100644
 --- a/docs/conf.py
 +++ b/docs/conf.py
-@@ -52,10 +52,10 @@ html_context = {
+@@ -53,10 +53,10 @@ html_context = {
      ]
  }
  html_sidebars = {
diff -Nru flask-3.1.0/debian/rules flask-3.1.1/debian/rules
--- flask-3.1.0/debian/rules	2024-11-25 19:56:47.000000000 +0200
+++ flask-3.1.1/debian/rules	2025-05-17 10:13:55.000000000 +0200
@@ -8,7 +8,7 @@
 export PYBUILD_NAME=flask
 export PYBUILD_BEFORE_TEST=cp CHANGES.rst {build_dir}
 export PYBUILD_AFTER_TEST=rm {build_dir}/CHANGES.rst
-export PYBUILD_AFTER_INSTALL=rm -rf '{destdir}/{install_dir}/site_egg'
+export PYBUILD_AFTER_INSTALL=rm -rf '{destdir}{install_dir}/flask/sansio/README.md'
 export PYBUILD_TEST_ARGS="-k not test_main_module_paths"
 
 %:


[ Other info ]
The updated package is in unstable for around 8 days in unstable while
writing, no issues did get raised to this version nor did user get in
direct contact.

unblock flask/3.1.1-1

--
Regards
Carsten
Reply to: