python-flask-cors (3.0.10-2+deb12u1) bookworm; urgency=medium

  * Non-maintainer upload by the Debian LTS team.
  * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764).
    - An attacker can inject fake log entries into the log file by sending a
      specially crafted GET request containing a CRLF sequence in the request
      path, allowing them to corrupt log files, potentially covering tracks of
      other attacks, confusing log post-processing tools, and forging log
      entries.
  * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988).
    - The request path matching is case-insensitive. This results in a mismatch
      because paths in URLs are case-sensitive, but the regex matching treats
      them as case-insensitive. This misconfiguration can lead to significant
      security vulnerabilities, allowing unauthorized origins to access paths
      meant to be restricted, resulting in data exposure and potential leaks.
  * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to
    fix CVE-2024-6839 (closes: #1100988).
    - There is an improper regex path matching vulnerability. The plugin
      prioritizes longer regex patterns over more specific ones when matching
      paths, which can lead to less restrictive CORS policies being applied to
      sensitive endpoints. This mismatch in regex pattern priority allows
      unauthorized cross-origin access to sensitive data or functionality,
      potentially exposing confidential information and increasing the risk of
      unauthorized actions by malicious actors.
   d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988).
   - The request.path is passed through the unquote_plus function, which
     converts the '+' character to a space ' '. This behavior leads to
     incorrect path normalization, causing potential mismatches in CORS
     configuration. As a result, endpoints may not be matched correctly to
     their CORS settings, leading to unexpected CORS policy application. This
     can cause unauthorized cross-origin access or block valid requests,
     creating security vulnerabilities and usability issues.

 -- Daniel Leidert <dleidert@debian.org>  Mon, 30 Jun 2025 02:59:32 +0200

python-flask-cors (3.0.10-2) unstable; urgency=medium

  * Team upload.
  * d/watch: Use git mode to check newer versions
  * d/control: Increase Standards-Version to 4.6.2
    No further modifications needed.
  * d/control: Adjust/update B-D, add BuildProfileSpecs
  * d/rules: Remove --with option from default target
  * d/copyright: Adjust Homepage to GH project space
  * d/u/metadata: Adjust some more data
  * d/copyright: Update year data
  * autopkgtest: Be more specific on depending packages

 -- Carsten Schoenert <c.schoenert@t-online.de>  Sun, 22 Jan 2023 09:52:05 +0100

python-flask-cors (3.0.10-1) unstable; urgency=medium

  * Team upload.
  * d/gbp.conf: Add more settings
  * New upstream version 3.0.10
  * Rebuild patch queue from patch-queue branch
    Renamed patches:
    remove_badges_from_doc
     -> debian-hacks/Privacy-Remove-linking-to-external-resources.patch
    redirect_api_links_locally
     -> debian-hacks/README-Link-to-internal-HTML-resource.patch
    Added patches:
    debian-hacks/docs-Use-local-inventory-for-Python3.patch
    upstream/Spelling-Fix-misspelled-word-conjuction.patch
    upstream/Spelling-Fix-misspelled-word-maching.patch
    Dropped patch (fixed upstream):
    spelling_error_in_manpage
  * d/control: Make DPT to the package maintainer
  * d/{control,rules}: Move over to dh-sequence-python3
  * d/control: Add new entries, sort Build-Depends alphabetical
    (Closes: #1018495)
  * d/u/metadata: Fix small typo
  * autopkgtest: Switch to use pytest instead of nose
  * d/rules: Use pytest to run internal tests
  * documentation: Build HTML and manpage by dh_sphinxdoc
  * d/control: Increase Standards-Version to 4.6.1
    No further modifications needed.
  * d/salsa-ci.yml: Adding Yaml CI control data for Salsa
    Rename d/.gitlab-ci.yml to d/salsa-ci.yml, update the content of the
    file.

 -- Carsten Schoenert <c.schoenert@t-online.de>  Tue, 01 Nov 2022 08:15:36 +0100

python-flask-cors (3.0.9-2) unstable; urgency=medium

  * Team upload.

  [ Bastian Germann ]
  * d/copyright: Fix superfluous license.

 -- Louis-Philippe Véronneau <pollo@debian.org>  Fri, 18 Dec 2020 11:06:56 -0500

python-flask-cors (3.0.9-1) unstable; urgency=medium

  * Team upload.

  [ Louis-Philippe Véronneau ]
  * d/gbp.conf: use team's branch names and migrate to debian/master.
  * d/control: upgrade to dh13.
  * d/control: update Standards-Version to 4.5.1. Add Rules-Requires-Root.
  * d/control: the team is not called the Python Team.
  * d/tests: add autopkgtest.

  [ Ondřej Nový ]
  * Bump Standards-Version to 4.4.1.
  * d/control: Update Vcs-* fields with new Debian Python Team Salsa
    layout.

  [ Bastian Germann ]
  * Add gbp.conf
  * New upstream version 3.0.9 (Closes: #950058, #969362)

 -- Louis-Philippe Véronneau <pollo@debian.org>  Fri, 18 Dec 2020 10:54:57 -0500

python-flask-cors (3.0.8-2) unstable; urgency=medium

  [ Ondřej Nový ]
  * Bump Standards-Version to 4.4.0.

  [ Stewart Ferguson ]
  * Bumping version to facilitate source-only upload

 -- Stewart Ferguson <stew@ferg.aero>  Tue, 30 Jul 2019 19:11:58 +0200

python-flask-cors (3.0.8-1) unstable; urgency=medium

  * Upstream release 3.0.8
  * Bumping standards-version 4.2.1 -> 4.3.0 (no changes required)
  * Bumping compat 11 -> 12 and replacing d/compat with newer build-dep
  * Adding d/upstream/metadata

 -- Stewart Ferguson <stew@ferg.aero>  Sun, 09 Jun 2019 09:29:19 +0200

python-flask-cors (3.0.7-1) unstable; urgency=medium

  * Initial release (Closes: #915789)

 -- Stewart Ferguson <stew@ferg.aero>  Wed, 05 Dec 2018 21:51:05 +0100