| Summary: | python-requests new security issues CVE-2014-1829 and CVE-2014-1830 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, makowski.mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/615624/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | python-requests-2.0.0-4.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-09-20 00:51:44 CEST
David Walser
2014-09-20 00:52:04 CEST
CC:
(none) =>
makowski.mageia Fixed and submitted for mga4 with the following packages in Core/Upodates_testing: - python-requests-2.3.0-1.mga4.noarch - python3-requests-2.3.0-1.mga4.noarch - python-requests-2.3.0-1.mga4.src.rpm Thanks David! Note the package list in Comment 1. Also note the PoC in the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 Advisory: ======================== Updated python-requests packages fix security vulnerability: Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file (CVE-2014-1829). It was discovered that the python-requests Proxy-Authorization header was never re-evaluated when a redirect occurs. The Proxy-Authorization header was sent to any new proxy or non-proxy destination as redirected (CVE-2014-1830). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830 https://bugzilla.redhat.com/show_bug.cgi?id=1046626 https://bugzilla.redhat.com/show_bug.cgi?id=1144907 CC:
(none) =>
geiger.david68210 Testing complete mga4 64
The PoC is python3 so testing python3-requests first.
Downloaded testhttpserver.py & testhttpclient.py and also the netrc file which is netrc.netrc.
Used two terminal tabs, one to run the server and another to test the client.
$ python3 testhttpserver.py
Serving HTTP on 0.0.0.0 port 8000 ...
$ python3 testhttpclient.py
host: 127.0.0.42:8000
auth: None
Moved/renamed netrc.netrc to ~/.netrc
Before
------
$ python3 testhttpclient.py
host: 127.0.0.42:8000
auth: Basic ZWdnczpoYW0=
After
-----
$ python3 testhttpclient.py
host: 127.0.0.42:8000
auth: None
python-requests:
$ python testhttpserver.py
Traceback (most recent call last):
File "testhttpserver.py", line 3, in <module>
import http.server
ImportError: No module named http.server
So not able to use it without converting it and I don't have the python knowledge for that.
Testing instead with a previous test script which just fetches http from mageia.org.
$ cat test.py
import requests
r = requests.get('https://mageia.org')
print r.text
$ python test.py
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Home of the Mageia project</title>
...etcWhiteboard:
(none) =>
has_procedure mga4-64-ok Testing complete mga4 32 Whiteboard:
has_procedure mga4-64-ok =>
has_procedure mga4-32-ok mga4-64-ok Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0409.html Status:
NEW =>
RESOLVED
David Walser
2014-10-09 18:34:43 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/615624/ |