Ubuntu has issued an advisory today (October 15): https://usn.ubuntu.com/3790-1/
Whiteboard: (none) => MGA6TOO
Assigning to the Python maintainers, CC'ing the registered maintainer.
CC: (none) => geiger.david68210, marja11Assignee: bugsquad => python
Done for Cauldron and mga6!
Advisory: ======================== Updated python-requests packages fix security vulnerability: It was discovered that Requests incorrectly handled certain HTTP headers. An attacker could possibly use this issue to access sensitive information (CVE-2018-18074). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074 https://usn.ubuntu.com/3790-1/ ======================== Updated packages in core/updates_testing: ======================== python-requests-2.11.1-2.1.mga6 python3-requests-2.11.1-2.1.mga6 from python-requests-2.11.1-2.1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: python => qa-bugsVersion: Cauldron => 6
Tried procedure as per bug 15496, but get stuck, and I don't speak python well: $ python pyrequests_test1.py Traceback (most recent call last): File "pyrequests_test1.py", line 1, in <module> import requests File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 60, in <module> from .packages.urllib3.exceptions import DependencyWarning File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 29, in <module> import urllib3 File "/usr/lib/python2.7/site-packages/urllib3/__init__.py", line 8, in <module> from .connectionpool import ( File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in <module> from .connection import ( File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in <module> from .util.ssl_ import ( File "/usr/lib/python2.7/site-packages/urllib3/util/__init__.py", line 4, in <module> from .request import make_headers File "/usr/lib/python2.7/site-packages/urllib3/util/request.py", line 5, in <module> from ..exceptions import UnrewindableBodyError ImportError: cannot import name UnrewindableBodyError
CC: (none) => herman.viaene
@Herman re comment #4: Just tried that script and it worked OK before the update. $ python pyrequests_test1.py [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=VEhZSDJ0VzdCTkVtVTF6dzNOR0cxemttUU83S2Z1Tk8wdXQvY1R6b0hLaFVubmd2UG00VkJ6Q1BZMjVkeUFmNnRnQXBsM2tGNjl4VExKV0MxN1ZDZ3ZBRy9ILzd4bW95N3JidU1jbGQwdDFTdno0RHNOYWdHNFFXZkI0d0I4MTcxYjNmcWxJSURQS0RvRy9sK0I0eEZ5ckxqS09YUytZeWpyZjJNQ2hKS1NBS0hWTncrWURXd2xYQnloSG9iSmlib3FVWXNnQThVbzFIa1lNTWVJeWQ0QT09LS1LdUpSQ2pmU2NLamxvSE5PemEwM2FBPT0%3D--d14c9e80dcc7c1bfc5cae20f977eddba79f0f48b for github.com/>, <Cookie has_recent_activity=1 for github.com/>]> $ python3 py3requests_test2.py [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=aU9TK1VHem5GREZQWHlhOUVmNWFpeWkxQjVSd1NOVDRFRU5WcDBEQ3A4ME1MRko5TUxtQ0t5ZHMxT1Y3Y29mWXIwdHN5bktLM0tMZGFyaGZ2SnRqR2pTUEhSQXI2WkU5OVZUaHpxZ05uOHR6VXUrcS9zWTlKNjhtenUvaGYwQlJwck1aam84WkwrMzRoZUZHNXJSVElvbzBBRlZTb3MxU1d6NnRVNUowTDlMNWhpYlJlNjlRQVQrWGszOHI0V2tIU21VaXJWZ1FnczFGWmZ5d0YwTE0xZz09LS1uNzJmcDFYY0VaUERiYjVyaUV0eFdBPT0%3D--2fe1ab0e70660d8b726e9c05f4ae49e557c8bf08 for github.com/>, <Cookie has_recent_activity=1 for github.com/>]> As there is a possible PoC for the current update shall update later.
CC: (none) => tarazed25
Trying to make sense of the PoC at https://github.com/requests/requests/issues/4716 - unfamiliar territory. It says to run a normal https server or netcat at localhost:8000. No idea what a normal https server is and by 'netcat' I assume telnet. $ telnet -S localhost:8000 Setting TOS to 0x0 telnet> The run an ssl https server with special properties at localhost:4443. Copied the code to ssl_server.py ------------------------------------------------------------------------- #!/bin/env python import BaseHTTPServer import ssl class Handler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(self): self.send_response(302) self.send_header('Location', 'http://localhost:8000/') self.end_headers() self.wfile.write('') httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), Handler) httpd.socket = ssl.wrap_socket (httpd.socket, server_side=True, certfile='yourpemfile.pem') httpd.serve_forever() ------------------------------------------------------------------------- but do not know how to run it. Tried: $ ./ssl_server.py localhost:4443 Traceback (most recent call last): File "./ssl_server.py", line 14, in <module> certfile='yourpemfile.pem') File "/usr/lib64/python2.7/ssl.py", line 949, in wrap_socket ciphers=ciphers) File "/usr/lib64/python2.7/ssl.py", line 560, in __init__ self._context.load_cert_chain(certfile, keyfile) IOError: [Errno 2] No such file or directory So it needs a pemfile, whatever that is or something. ?? Looks like this is going to take a while.
A pemfile is an SSL certificate, which any web server running https would have.
Good to know, but where can I find such a certificate?
locate yields 218 pem certificates on this sytem. Guess it is a case of looking through all of them.
Filtering on https reduces it to 32.
/etc/pki/tls, should be a certs and private directory with httpd.pem files containing the public and private certs.
Yes, thanks. Both do have httpd.pem.
$ sudo ./ssl_server.py localhost:4443 Traceback (most recent call last): File "./ssl_server.py", line 14, in <module> certfile='/etc/pki/tls/private/httpd.pem') File "/usr/lib64/python2.7/ssl.py", line 949, in wrap_socket ciphers=ciphers) File "/usr/lib64/python2.7/ssl.py", line 560, in __init__ self._context.load_cert_chain(certfile, keyfile) ssl.SSLError: [SSL] PEM lib (_ssl.c:2779) It may be time to drop this.
Try the public cert, it should be that one.
Tried the certs one but that failed also. However, the tls directory contains a script for generating a pem file - tried that and ran the server command. Don't know if sudo is necessary but the command does not fault: $ sudo ./ssl_server.py localhost:4443 So, the server may be running. Running out of time for testing this tonight. There is python3 as well. Request file is: import requests requests.get('https://localhost:4443', auth=('hello', 'world'), verify=False) Submitted it and received some output [localhost:4443] 127.0.0.1 - - [25/Oct/2018 23:04:05] "GET / HTTP/1.1" 302 - [terminal] $ python request.py /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:841: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning) Traceback (most recent call last): File "request.py", line 2, in <module> requests.get('https://localhost:4443', auth=('hello', 'world'), verify=False) File "/usr/lib/python2.7/site-packages/requests/api.py", line 70, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/site-packages/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 617, in send history = [resp for resp in gen] if allow_redirects else [] File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 177, in resolve_redirects **adapter_kwargs File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 596, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 487, in send raise ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPConnectionPool(host='localhost', port=8000): Max retries exceeded with url: / (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7f5f44037b50>: Failed to establish a new connection: [Errno 111] Connection refused',)) Must have misunderstood. Maybe this should have been sent via the telnet server - getting confused.
Leaving the servers running all night was not a good idea. It was dead in the morning. Power cycled the monitor and the PC then went into the BIOS to boot the machine. Restarted the servers on ports 8000 and 4443. Changed the verify in the request line to True and tried again. $ sudo python request.py Traceback (most recent call last): File "request.py", line 2, in <module> requests.get('https://localhost:4443', auth=('hello', 'world'), verify=True) File "/usr/lib/python2.7/site-packages/requests/api.py", line 70, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/site-packages/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 596, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 497, in send raise SSLError(e, request=request) requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Fedora has issued an advisory for this on November 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ODR7ZTGPEISZ35PPEJLPU5CAE5D23CXV/ The issue is fixed upstream in 2.20.0.
Testing M6/64 Repeating Len's test c5, based on Olivier's scripts & tests in: https://bugs.mageia.org/show_bug.cgi?id=15496#c14 ------ BEFORE update, installed or had: python-requests-2.11.1-2.mga6 python3-requests-2.11.1-2.mga6 $ python pyrequests_test1.py [for Python] [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=Y1hTemFhc2dIZWVOaGxXRHJJZXF1TjJ6UXJnek5qR1grRXNpd1pidlpxVXZSUVgxaXpuVDZ6OTJvRTkreVRybFFwUlMrWG1LTVIwaTR2VXdrbHdkNmpYb0lseFBucXhBemRQVWthNUM5Q2RaTkxTbml3YXYrV0Q1RDVFVzdYQkpERVJnUGFCdGlyWTViM0IwL0xiN2UzUS9CMkpBQlM4UjZqU25hcVpJdDl6ZWM1UjVIdG44TXZ1NWc1bE81WmNDWDJ4OTBTYUx6dUtHRUtQREJteDZMUT09LS1EaHNPaitEZkZHT2JjdkRwRDc3ck1nPT0%3D--5cebb2f9e23489ef842f3a783c461f60d7fa58dd for github.com/>, <Cookie has_recent_activity=1 for github.com/>]> $ python3 py3requests_test2.py [for Python3] [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=ME9GVGdabW9ZeU96WGJ4bm5mcndoRERFNVVJUlBSSkY2MkU2VFhLZFJlWXpWNStDQmQ1ZThOZm85cFEvZXhCa0pNZHpqbnR0eUxDa0U0bENhTlA5cXRkQ2MxTmJHaXIwalhMaFdSdjFKMVVCYTBXRmtsTGJCTjhTUHd1Ri9Zc0NDMzJIa1V3WVQ0cXRuWHZKT0tocVEvbEYwdTB0ZDZIQ2YzNUlJU3BoeFdlbzgxVFdiUW9YWlY1TDJhRm13d25uSGZjZnJTdHFtWDBWS3I1dzU3RExQQT09LS1keE5XbU1MaVBoRThBZmFpenRWV0F3PT0%3D--06709da262982047f9cf7f4246f283d700da1724 for github.com/>, <Cookie has_recent_activity=1 for github.com/>]> ------------- AFTER update: python-requests-2.11.1-2.1.mga6 python3-requests-2.11.1-2.1.mga6 Results essentially the same (cookie different). For me, the update is OK. But I will follow Len's POC pointer: https://github.com/requests/requests/issues/4716 section "Reproduction Steps". "Run an HTTPS server on localhost:4443 that replies with a 302 redirect to http://localhost:8000, and a plain HTTP server (or netcat) on localhost:8000." + a couple of small scripts. Scripts apart, this looks unreasonably heavy for us. What is meant to happen is unclear, the comments get more obtuse. @Len: can we not MGA6-64-OK and validate this? If you agree, please do. Will do the advisory from comments 3 & 17.
CC: (none) => lewyssmithKeywords: (none) => advisory
@Lewis: Agreed, the PoC is heavyweight stuff. Above my paygrade anyway. And since you found the update OK shall give this an OK. Thanks for your intercession.
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0475.html
Status: NEW => RESOLVEDResolution: (none) => FIXED