From 2da4aff978598c9ebdb60c566b0561e2ffc6e504 Mon Sep 17 00:00:00 2001 From: Manuel83 Date: Mon, 29 Oct 2018 22:15:03 +0100 Subject: [PATCH] Update package because of vulnerability Flask: CVE-2018-1000656 More information moderate severity Vulnerable versions: < 0.12.3 Patched version: 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. Requests: CVE-2018-18074 More information moderate severity Vulnerable versions: <= 2.19.1 Patched version: 2.20.0 The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. --- requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index be2b386..2529782 100755 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -Flask==0.11.1 +Flask==0.12.4 Flask-SocketIO==2.6.2 eventlet==0.19.0 greenlet==0.4.10 @@ -7,7 +7,7 @@ python-engineio==0.9.2 python-mimeparse==1.5.2 python-socketio==1.4.4 PyYAML==3.11 -requests==2.11.0 +requests==2.20.0 Werkzeug==0.11.10 httplib2==0.9.2 flask-classy==0.6.10