Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-Flask-Security-Too for openSUSE:Factory checked in at 2024-06-03 17:41:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-Flask-Security-Too (Old) and /work/SRC/openSUSE:Factory/.python-Flask-Security-Too.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-Flask-Security-Too" Mon Jun 3 17:41:31 2024 rev:23 rq:1177933 version:5.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python-Flask-Security-Too/python-Flask-Security-Too.changes 2024-02-13 22:42:25.864377645 +0100 +++ /work/SRC/openSUSE:Factory/.python-Flask-Security-Too.new.24587/python-Flask-Security-Too.changes 2024-06-03 17:41:40.323052730 +0200 @@ -1,0 +2,75 @@ +Fri May 31 12:12:17 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> + +- Update to 5.4.3: + + Fixes + * Regression - some templates no longer getting correct config + * CSRF not properly ignored for application forms using + :py SECURITY_CSRF_PROTECT_MECHANISMS. + * Improve jp translations + * Regression - datetime_factory should still be an attribute + * :py SECURITY_RETURN_GENERIC_RESPONSES hide email + validation/syntax errors. + +- Update to 5.4.2: + + Fixes + * OpenAPI spec missing. + * Doc fixes + * Update ES/IT translations + +- Update to 5.4.0 & 5.4.1: + + Features and improvements: + * Work with Flask[async]. view decorators and signals support + async handlers. + * CI support for python 3.12 + * Work with py_webauthn 2.0 (and only 2.0+) + * Improve (and simplify) Two-Factor setup. See below for + backwards compatability issues and new functionality. + * Improve oauth debugging support. Handle next propagation in a + more general way. + * Make AnonymousUser (Flask-Login) optional and deprecated. + * Remove undocumented and untested looking in session for + possible 'next' redirect location. + * No longer rely on Flask-Login.unauthorized callback. See + below for implications. + * Changes to default unauthorized handler - remove use of + referrer header (see below) and document precise behavior. + * The authentication_token format has changed - adding + per-token expiry time and future session ID. Old tokens are + still accepted. + + Docs and Chores + * Improve method translations for unified signin and two + factor. Remove support for Flask-Babelex. + * Chore - stop setting all config as attributes. + init_app(**kwargs) can only set forms, flags, and utility + classes (see below for compatibility concerns). + * Update Spanish and Italian translations. + * Improve translations for two-factor method selection. + * Improve German translations. + * Remove deprecation of AUTO_LOGIN_AFTER_CONFIRM - it has a + reasonable use case. + * Update message extraction - note that the + CONFIRM_REGISTRATION message was changed to improve + readability. + + Fixes + * us-signin magic link should use fs_uniquifier (not email). + * Improve open-redirect vulnerability mitigation. (see below) + * user_datastore.create_user has side effects on mutable + inputs. (NoRePercussions) + * The long deprecated _unauthorized_callback/handler has been + removed. + * Oauth re-used POST_LOGIN_VIEW which caused confusion. See + below for the new configuration and implications. + * Improve CSRF documentation and testing. Fix bug where a CSRF + failure could return an HTML page even if the request was + JSON. + * Register with JSON and authentication token failed CSRF. + * Fix 2 issues with CSRF configuration. + * It was possible that if SECURITY_EMAIL_VALIDATOR_ARGS were + set that deliverability would be checked even for login. + + Backwards Compatibility Concerns + Please read the full changelog at + https://github.com/Flask-Middleware/flask-security/blob/master/CHANGES.rst#v... +- Drop patch that's already included by upstream: + * support-python-312.patch + +------------------------------------------------------------------- Old: ---- Flask-Security-Too-5.3.3.tar.gz support-python-312.patch New: ---- Flask-Security-Too-5.4.3.tar.gz BETA DEBUG BEGIN: Old:- Drop patch that's already included by upstream: * support-python-312.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-Flask-Security-Too.spec ++++++ --- /var/tmp/diff_new_pack.umikXE/_old 2024-06-03 17:41:41.055080567 +0200 +++ /var/tmp/diff_new_pack.umikXE/_new 2024-06-03 17:41:41.055080567 +0200 @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-Flask-Security-Too -Version: 5.3.3 +Version: 5.4.3 Release: 0 Summary: Security for Flask apps License: MIT @@ -27,8 +27,6 @@ Patch0: no-mongodb.patch # PATCH-FIX-OPENSUSE Use pyqrcodeng, we do not ship qrcode in OpenSUSE. Patch1: use-pyqrcodeng.patch -# PATCH-FIX-UPSTREAM Based on gh#Flask-Middleware/flask-security#900 -Patch2: support-python-312.patch BuildRequires: %{python_module Authlib} BuildRequires: %{python_module Babel >= 2.10.0} BuildRequires: %{python_module Flask >= 2.3.2} @@ -37,7 +35,7 @@ BuildRequires: %{python_module Flask-Mailman >= 0.3.0} BuildRequires: %{python_module Flask-Principal >= 0.4.0} BuildRequires: %{python_module Flask-SQLAlchemy >= 3.0.3} -BuildRequires: %{python_module Flask-WTF >= 1.1.1} +BuildRequires: %{python_module Flask-WTF >= 1.1.2} BuildRequires: %{python_module MarkupSafe >= 2.1.0} BuildRequires: %{python_module PyQRCode >= 1.2} BuildRequires: %{python_module SQLAlchemy} @@ -49,8 +47,8 @@ BuildRequires: %{python_module bleach >= 6.0.0} BuildRequires: %{python_module cachetools >= 3.1.0} BuildRequires: %{python_module cryptography >= 40.0.2} -BuildRequires: %{python_module dateutil} BuildRequires: %{python_module email-validator >= 2.0} +BuildRequires: %{python_module freezegun} BuildRequires: %{python_module importlib_resources >= 5.10.0} BuildRequires: %{python_module itsdangerous >= 1.1.0} BuildRequires: %{python_module passlib >= 1.7.4} @@ -61,6 +59,7 @@ BuildRequires: %{python_module pytest >= 6.2.5} BuildRequires: %{python_module requests} BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module webauthn >= 2.0.0} BuildRequires: %{python_module wheel} BuildRequires: %{python_module zxcvbn >= 4.4.28} BuildRequires: fdupes @@ -69,7 +68,7 @@ Requires: python-Flask-Babel >= 3.1.0 Requires: python-Flask-Login >= 0.6.2 Requires: python-Flask-Principal >= 0.4.0 -Requires: python-Flask-WTF >= 1.1.1 +Requires: python-Flask-WTF >= 1.1.2 Requires: python-MarkupSafe >= 2.1.0 Requires: python-WTForms >= 3.0.0 Requires: python-Werkzeug >= 2.3.3 @@ -80,6 +79,7 @@ Requires: python-importlib_resources >= 5.10.0 Requires: python-itsdangerous >= 1.1.0 Requires: python-passlib >= 1.7.4 +Requires: python-webauthn >= 2.0.0 Recommends: python-PyQRCode >= 1.2 Recommends: python-SQLAlchemy Recommends: python-zxcvbn >= 4.4.28 ++++++ Flask-Security-Too-5.3.3.tar.gz -> Flask-Security-Too-5.4.3.tar.gz ++++++ ++++ 34550 lines of diff (skipped)