A CVE has been assigned for an issue fixed upstream in python-requests 2.6.0: http://openwall.com/lists/oss-security/2015/03/15/1 The upstream commit to fix the issue is also linked in the message above. Mageia 4 and Mageia 5 are both affected. Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageiaWhiteboard: (none) => MGA5TOO, MGA4TOO
Fixed on svn for Cauldron with new 2.6.0 release and freeze_push requested. I'll try to fix for mga4 with a patch if it is possible on 2.3.0 release.
python-requests-2.6.0-1.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
python-requests-2.3.0-1.1.mga4 uploaded for Mageia 4.
Version: 4 => Cauldron
Thanks David! Advisory: ======================== Updated python-requests packages fix security vulnerability: In python-requests before 2.6.0, a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing (CVE-2015-2296). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296 https://warehouse.python.org/project/requests/2.6.0/ http://openwall.com/lists/oss-security/2015/03/15/1 ======================== Updated packages in core/updates_testing: ======================== python-requests-2.3.0-1.1.mga4 python3-requests-2.3.0-1.1.mga4 from python-requests-2.3.0-1.1.mga4.src.rpm
CC: (none) => geiger.david68210Version: Cauldron => 4Assignee: geiger.david68210 => qa-bugs
python3-requests-2.6.0-1.mga5 ################################# [ 50%] error: unpacking of archive failed on file /usr/lib/python3.4/site-packages/requests/packages/chardet: cpio: rename error: python3-requests-2.6.0-1.mga5.noarch: install failed error: python3-requests-2.3.0-4.mga5.noarch: erase skipped Manually unpacking using rpm2cpio ./python3-requests-2.6.0-1.mga5.noarch.rpm | cpio -idmv works fine
CC: (none) => nic
That usually happens when the file type changes (between regular file, symlink, or directory usually). A %pretrans scriplet is needed to fix it. Maybe the better move at this point would be to ask the sysadmins to back out the 2.6.0 update and just patch it.
CC: (none) => tmb
Is that something I would need to do? I don't know how to do it.
(In reply to Nic Baxter from comment #7) > Is that something I would need to do? I don't know how to do it. If you mean fix the package with a %pretrans scriplet, no, that would be for the packager (David) to do. If you mean roll back to the previous version. well, that's for a sysadmin like Thomas to take care of, but if that's what happens, you would need to manually downgrade the package on your system. We'll see what happens with this.
(In reply to David Walser from comment #8) > (In reply to Nic Baxter from comment #7) > > Is that something I would need to do? I don't know how to do it. > > If you mean fix the package with a %pretrans scriplet, no, that would be for > the packager (David) to do. If you mean roll back to the previous version. > well, that's for a sysadmin like Thomas to take care of, but if that's what > happens, you would need to manually downgrade the package on your system. > We'll see what happens with this. Ahh, indeed Thomas did roll it back to the previous version (and applied the patches to fix the security issue). You can downgrade it with "urpmi --downgrade python-requests python3-requests" (or just python3-requests if that's the only one of the two you have installed).
Thomas had to rebuild the Mageia 4 update due to a missing signature. Updated packages in core/updates_testing: ======================== python-requests-2.3.0-1.2.mga4 python3-requests-2.3.0-1.2.mga4 from python-requests-2.3.0-1.2.mga4.src.rpm
For future reference, python-requests 2.6.0 also breaks python-urllib3 (thus breaking system-config-printer), as ennael just found out. It would need python-urllib3 upgraded to 1.10 to fix that.
Ubuntu has issued an advisory for this today (March 16): http://www.ubuntu.com/usn/usn-2531-1/
URL: (none) => http://lwn.net/Vulnerabilities/636951/Severity: normal => major
This is a neat module. Documentation is here: http://docs.python-requests.org/en/latest/user/quickstart/ You can see there how to test downloading a web page, how to handle redirection and cookies (what's affected by the update), and other things. If you're connecting to a local site via https, you'll need to add a ", verify=False" into your requests.get() call. Normal usage works fine for me before and after the update.
Testing on Mageia4x64 real hardware, From current packages : --------------------- python-requests-2.3.0-1.mga4 python3-requests-2.3.0-1.mga4 Followed link mentioned by David in comment 13 to prepare 2 scripts to test redirection and cookies setting = python pyrequests_test1.py : import requests r = requests.get('http://github.com', allow_redirects=True) print r.history print r.url print r.status_code print r.cookies py3requests_test2.py : import requests r = requests.get('http://github.com', allow_redirects=True) print (r.history) print (r.url) print (r.status_code) print (r.cookies) $ python pyrequests_test1.py [<Response [301]>] # shows redirection from http to https https://github.com/ # idem 200 # request success <RequestsCookieJar[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=eyJzZXNzaW9uX2lkIjoiZTAxYzAwMjQ2NGJlN2MzYjlmYzAwOTk4M2NiMTE4NGQiLCJfY3NyZl90b2tlbiI6ImZQWFhYYkZxN1dYVnI3dGxVanBaZzEwc2xWZGJtaEFGbG9XcHJ4cUpCY009In0%3D--ecad9f138f48d7bc2588402d8092a3c8f709f634 for github.com/>]> $ python3 py3requests_test2.py [<Response [301]>] https://github.com/ 200 <<class 'requests.cookies.RequestsCookieJar'>[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=eyJzZXNzaW9uX2lkIjoiZDhhNWU1NmNkNmI2ZDBkMGZkM2YwNzBkMzA1M2MwYWQiLCJfY3NyZl90b2tlbiI6IkNLbHQ4amFESFM0SktyekJYME13WDB4VFFxMjdtWkFGMTR0WjJDcENkeGs9In0%3D--a6553669472fc0a0689d087150f8c629e0107cc3 for github.com/>]> To updated testing packages : --------------------------- python-requests-2.3.0-1.2.mga4 python3-requests-2.3.0-1.2.mga4 Updated testing packages installed ok and $ python pyrequests_test1.py $ python3 py3requests_test2.py gave equivalent results. OK
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
Thanks for the test case, I didn't know of a good site to use that redirects off the top of my head. I confirmed the same results as Olivier on Mageia 4 i586.
Whiteboard: MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK
Advisory uploaded, validating. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0120.html
Status: NEW => RESOLVEDResolution: (none) => FIXED