diff --git a/CVE-2024-1681.patch b/CVE-2024-1681.patch deleted file mode 100644 index 3057d8cc34bbe1ded54d8f4aa096abea17848251..0000000000000000000000000000000000000000 --- a/CVE-2024-1681.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 6172c2000dba965fedb8e9a8a916ad56f0fb2630 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Anes=20Hujevi=C4=87?= -Date: Sat, 4 May 2024 21:28:47 +0200 -Subject: [PATCH] Update extension.py to clean request.path before logging it - (#351) - -* Update extension.py to use string format specifier for cleaning request.path ---- - flask_cors/extension.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/flask_cors/extension.py b/flask_cors/extension.py -index 6f76995..6361dcc 100644 ---- a/flask_cors/extension.py -+++ b/flask_cors/extension.py -@@ -193,7 +193,7 @@ def cors_after_request(resp): - normalized_path = unquote_plus(request.path) - for res_regex, res_options in resources: - if try_match(normalized_path, res_regex): -- LOG.debug("Request to '%s' matches CORS resource '%s'. Using options: %s", -+ LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s", - request.path, get_regexp_pattern(res_regex), res_options) - set_cors_headers(resp, res_options) - break diff --git a/Flask-Cors-4.0.0.tar.gz b/Flask-Cors-4.0.0.tar.gz deleted file mode 100644 index d66b3c1d03a0efaff27ab0258f94f4149f49cb12..0000000000000000000000000000000000000000 Binary files a/Flask-Cors-4.0.0.tar.gz and /dev/null differ diff --git a/flask-cors.spec b/flask-cors.spec index c0c232fc31ab0635dae0a86009d187f2410881ec..6028050b2ff0945753b4444f49330f1a59f6c44c 100755 --- a/flask-cors.spec +++ b/flask-cors.spec @@ -1,13 +1,11 @@ %global _empty_manifest_terminate_build 0 Name: python-Flask-Cors -Version: 4.0.0 -Release: 2 +Version: 5.0.0 +Release: 1 Summary: A Flask extension adding a decorator for CORS support License: MIT URL: https://github.com/corydolphin/flask-cors -Source0: https://files.pythonhosted.org/packages/c8/b0/bd7130837a921497520f62023c7ba754e441dcedf959a43e6d1fd86e5451/Flask-Cors-4.0.0.tar.gz -# https://github.com/corydolphin/flask-cors/commit/6172c2000dba965fedb8e9a8a916ad56f0fb2630 -Patch0: CVE-2024-1681.patch +Source0: https://files.pythonhosted.org/packages/source/F/Flask-Cors/flask_cors-%{version}.tar.gz BuildArch: noarch Requires: python3-Flask @@ -32,7 +30,7 @@ Provides: python3-Flask-Cors-doc A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible. %prep -%autosetup -n Flask-Cors-4.0.0 -p1 +%autosetup -n flask_cors-%{version} -p1 %build %py3_build @@ -72,6 +70,11 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Wed Sep 18 2024 yaoxin - 5.0.0-1 +- Update to 5.0.0: + * Breaking: Change default to disable private network access + This effectively resolves GHSA-hxwh-jpp2-84pm https://osv.dev/vulnerability/PYSEC-2024-71 + * Tue May 28 2024 yaoxin - 4.0.0-2 - Fix CVE-2024-1681 diff --git a/flask_cors-5.0.0.tar.gz b/flask_cors-5.0.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..4c9fdfb0b7efb21d71c8098fe027b698e9592b80 Binary files /dev/null and b/flask_cors-5.0.0.tar.gz differ