| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 29 Mar 2015 13:04:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2015:133 ] python-requests -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:133 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : python-requests Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated python-requests packages fix security vulnerabilities: Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file (CVE-2014-1829). It was discovered that the python-requests Proxy-Authorization header was never re-evaluated when a redirect occurs. The Proxy-Authorization header was sent to any new proxy or non-proxy destination as redirected (CVE-2014-1830). In python-requests before 2.6.0, a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing (CVE-2015-2296). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296 http://advisories.mageia.org/MGASA-2014-0409.html http://advisories.mageia.org/MGASA-2015-0120.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: bdc01b89f7847864db186b65cd1d46a4 mbs2/x86_64/python3-requests-2.3.0-1.1.mbs2.noarch.rpm 003bc0e04b5ebf77bcf00cf004d2591b mbs2/x86_64/python-requests-2.3.0-1.1.mbs2.noarch.rpm 18db7d8b658c588b49979966fce6577d mbs2/SRPMS/python-requests-2.3.0-1.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF85CmqjQ0CJFipgRApDzAJ94/bIyj7xjen0f8z7CAVYB4tM0JACfSyCR UgtMpK/ETCrGT6qesmteJ5Q= =I7Gj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists