Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] [EXTERNAL] Re: python-flask vulnerability

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] [EXTERNAL] Re: python-flask vulnerability


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Uhl, George D. (GSFC-423.0)[Arctic Slope Technical Services, Inc.]" <>
  • To: Andrew Lake <>, perfSONAR-Developer <>, perfsonar-user <>
  • Subject: Re: [perfsonar-user] [EXTERNAL] Re: python-flask vulnerability
  • Date: Thu, 9 Jul 2020 17:50:27 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nasa.gov; dmarc=pass action=none header.from=nasa.gov; dkim=pass header.d=nasa.gov; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A3rT2D9t7Zz4h7zR+Ue7CyUt12kLO/jVn/XRLuRkMs4=; b=l8X5xmTPnkrNgmATR3OOZkmEnalfJS3DX03nuC/bhrel0Ss6IjuobWPeTg8hyePhvpv0+Yq/nSIYjT34+cO/EcT8mhqZGS/42UMYdFaxgh/vJt7AsE5p76QvP7VCgGmg9APwV61DQgRR2MnHIUdx8lvFQn7/79tdHTxVB+LnEDDYzlvfqcYrVywBkE60nwNiykECLXjBMYlgdnEa8IbSKVz13ab7ZlDwifKss6Gj7OAG+w9jxYd+/JHQsejAr9ppXBIqfxdJuEGlOD4bJjjyJLKyhQHHB/br8xkDXLCH6ntuMdlocP6iaR67Z8f6P7fVJZvkAqyll86wx3sjlZK+vg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZArojJj5JsLU74Xoxi9ynr1joPodpOys8lfH4tbIb4EqCsoSOYvhzNVyiizj6bbzijBHEi6xst/CGtN4CwgFYIjsf1H66VMDcl63YFFGYzJJN5S1jLrymz9yHYWS1jIaxpJBfSdNKbLaQ45fOQsV+WlHwolWy9Uid0FwGCJW3U8T+NjeP7swOBNvPZaiiSilO9IGTvSasIhv+QVHhrhXKu5BpKOGzT2g4Eo4qA2rhdKO3dH2G4e+S1l1ul4SpcCDESFCenWKOWTsp/kJgJNxrYTkKKPn8wEkK5iNEdxA50gPn1Vd9c814aAEY2ve6COEPdqtypxj2wM02EhG/eNLSw==
  • Dkim-filter: OpenDKIM Filter v2.11.0 ndmsvnpf103.ndc.nasa.gov 0D4DA4018394

Andy,

 

Thanks for the guidance on the python-flask software package.  I’ve passed your insight on to the network security team where this particular perfsonar server sits and their response is “OK it’s no rush”. I don’t know what methods are used to the scan the systems on their network but for now I’m not planning to install a fresh python package replacement for python-flask  – particularly since Centos hasn’t included the latest version in their repo.

 

Thanks again,

George

 

From: Andrew Lake <>
Date: Wednesday, July 8, 2020 at 1:24 PM
To: perfSONAR-Developer <>, "George.D.Uhl" <>, perfsonar-user <>
Subject: [EXTERNAL] Re: [perfsonar-user] python-flask vulnerability

 

 

Hi,

 

That package comes from a CentOS repo, it is not one we maintain. It’s possible CentOS will backport a change, but not sure how quickly that always happens for the medium issues like that one.  

 

I’m also not sure how the scanner in question is locating the vulnerability, but if it is just looking at version it’s likely not getting the whole picture since CentOS backports the patches. As is the case with most CentOS packages, the base version of the package is older but they backport patches for vulnerabilities. CentOS last updated that package a couple months ago, so it is still getting maintained. I can’t figure out a CVE that corresponds to the info provided by the scanner, so I am having trouble determining if it was already patched. 

 

The next version of perfSONAR (4.3) moves to python3 and thus will move ahead that package. That’s getting close to beta, and we’d rather not risk moving past the supported CentOS version since we then inherit responsibility of backporting more serious issues when they arise and likely RedHat/CentOS will be faster than us in those cases. 

 

Thanks,

Andy

 

On July 8, 2020 at 11:02:10 AM, Uhl, George D. (GSFC-423.0)[Arctic Slope Technical Services, Inc.] () wrote:

All,

 

Our security team identified a version of python-flask with a known vulnerability that they want patched.  The perfsonar repo currently doesn’t provide the latest patched version.  Would it be possible to include the fixed version in the perfsonar repo?

 

Thanks,

George Uhl

 

 

Path : Package - python-flask-0.10.1-5.el7_7|1
Installed version : 0.10.1
Fixed version : 0.12.3

·  Discovery

  • First Discovered: 39 days ago
  • Last Observed: 4 days ago

·  Host Information

·  Risk Information

  • Risk Factor: Medium
  • Vulnerability Priority Rating: 3.6
  • CVSS v2 Base Score: 5.0
  • CVSS v2 Temporal Score: 3.7
  • CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
  • CVSS v3 Base Score: 7.5
  • CVSS v3 Temporal Score: 6.5
  • CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

·  Exploit Information

  • Patch Published: Apr 26, 2018
  • Exploit Available: No
  • Exploitability Ease: No known exploits are available

 

 

From: <> on behalf of Sowmya Balasubramanian <>
Reply-To: Sowmya Balasubramanian <>
Date: Monday, July 6, 2020 at 4:53 PM
To: perfSONAR-Developer <>, perfsonar-user <>
Subject: [EXTERNAL] [perfsonar-user] Lookup Service Round 3 testing - Jul 8-9

 

Hi All,

 

The perfSONAR Team will be testing the Lookup Service on July 8-9 (Wed-Thu). As done previously, a new instance containing the next release(that replaces backend with Elasticsearch) will be brought online.

 

*No changes* are required to the Toolkits/clients. 

 

We do not expect the service to be impacted. But, you may notice a dip in the number of hosts/interface records (for an hour or two), while the toolkits are switching to the new instance. 

 

After the testing is completed, the Lookup Service instance will be reverted back to the current production instance. 

 

An email will be sent right before the testing starts and when the testing has been completed.

 

Thank you for your cooperation.

 

Regards,

perfSONAR Team

--
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user


Archive powered by MHonArc 2.6.19.

Top of Page