Amazon Linux 2023 Security Advisory: ALAS-2023-183
Advisory Release Date: 2023-05-25 17:41 Pacific
Advisory Updated Date: 2023-06-07 20:05 Pacific
Severity:
Important
Issue Overview:
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5. (CVE-2023-30861)
Affected Packages:
python-flask
Issue Correction:
Run dnf update python-flask --releasever 2023.0.20230607 to update your system.
New Packages:
noarch:
python-flask-doc-1.1.2-5.amzn2023.0.3.noarch
python3-flask-1.1.2-5.amzn2023.0.3.noarch
src:
python-flask-1.1.2-5.amzn2023.0.3.src