Open CVE, please consider to yank pypi versions

[do3cc]

Hi,

there is an open CVE for flask-security that has already been adressed in the fork. It seems, this package will not receive more updates.

Are you aware that Pypi nowadays offers the possibility to yank Package releases? When you yank all versions on pypi, one gets an error when installing a flask-security package when not specifying a version. When explicitly asking for a specific version, one still gets that version installed, just with a warning. This provides a good middleground, new projects will understand that they should look for something with active maintenance or take over maintenance, and existing projects can choose what to do, but aren’t left dead on the road with a package that can’t be installed any more.

So could you consider to yank the PyPI Releases of flask-security?

Pinging @jonafato here because he looks active on github and has pypi permissions for this package.

[jwag956]

It should be noted that the default configuration (of Werkzeug) renders this CVE unexploitable. Only applications that specifically have set autocorrect_location_header to False are vulnerable.

[do3cc]

You are right. The CVE states that when using Werkzeug in the default configuration is being used, the problem does not exist. And reading the code it looks like the relevant Werkzeug code will always be executed in django-security, even when not using werkzeug as the WSGI Server. But I didn't verify that I read the code correctly and input sanitation shouldn't happen when preparing the response already. So its imho still a good idea to yank the releases so that new projects won't use an unmaintained piece of software for which a maintained fork exists.

[mcepl]

Are you talking about https://www.cve.org/CVERecord?id=CVE-2021-23385 here?