A reminder was posted to oss-security of issues fixed in 2.3.0: http://openwall.com/lists/oss-security/2014/09/19/1 We have 2.3.0 in Cauldron. If I read the RedHat bug correctly, the problem was introduced in 2.0.0 (the version we have in Mageia 4), so Mageia 3 wouldn't be affected: https://bugzilla.redhat.com/show_bug.cgi?id=1046626 Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageia
Fixed and submitted for mga4 with the following packages in Core/Upodates_testing: - python-requests-2.3.0-1.mga4.noarch - python3-requests-2.3.0-1.mga4.noarch - python-requests-2.3.0-1.mga4.src.rpm
Thanks David! Note the package list in Comment 1. Also note the PoC in the Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 Advisory: ======================== Updated python-requests packages fix security vulnerability: Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file (CVE-2014-1829). It was discovered that the python-requests Proxy-Authorization header was never re-evaluated when a redirect occurs. The Proxy-Authorization header was sent to any new proxy or non-proxy destination as redirected (CVE-2014-1830). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830 https://bugzilla.redhat.com/show_bug.cgi?id=1046626 https://bugzilla.redhat.com/show_bug.cgi?id=1144907
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
Testing complete mga4 64 The PoC is python3 so testing python3-requests first. Downloaded testhttpserver.py & testhttpclient.py and also the netrc file which is netrc.netrc. Used two terminal tabs, one to run the server and another to test the client. $ python3 testhttpserver.py Serving HTTP on 0.0.0.0 port 8000 ... $ python3 testhttpclient.py host: 127.0.0.42:8000 auth: None Moved/renamed netrc.netrc to ~/.netrc Before ------ $ python3 testhttpclient.py host: 127.0.0.42:8000 auth: Basic ZWdnczpoYW0= After ----- $ python3 testhttpclient.py host: 127.0.0.42:8000 auth: None python-requests: $ python testhttpserver.py Traceback (most recent call last): File "testhttpserver.py", line 3, in <module> import http.server ImportError: No module named http.server So not able to use it without converting it and I don't have the python knowledge for that. Testing instead with a previous test script which just fetches http from mageia.org. $ cat test.py import requests r = requests.get('https://mageia.org') print r.text $ python test.py <!DOCTYPE html> <html dir="ltr" lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Home of the Mageia project</title> ...etc
Whiteboard: (none) => has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0409.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/615624/