Bugzilla – Bug 897658
VUL-1: CVE-2014-1829 CVE-2014-1830: python-requests: Proxy-Authorization header leak
Last modified: 2016-04-27 18:59:47 UTC
via oss-sec From: Jakub Wilk <jwilk@debian.org> Subject: [oss-security] python-requests: CVE-2014-1829, CVE-2014-1830: password disclosure on redirect Date: Fri, 19 Sep 2014 22:10:01 +0200 FYI: a while ago python-requests 2.3.0 was released, with the following bugfix: * No longer expose Authorization or Proxy-Authorization headers on redirect. Fix CVE-2014-1829 and CVE-2014-1830 respectively. References: https://bugs.debian.org/733108 https://github.com/kennethreitz/requests/issues/1885 https://bugzilla.redhat.com/show_bug.cgi?id=1046626 -- Jakub Wilk
on SUSE cloud and on openSUSE only. does it access anything outside of the cloud products scope on cloud?
bugbot adjusting priority
(In reply to Marcus Meissner from comment #1) > does it access anything outside of the cloud products scope on cloud? In principle the python-*client packages (e.g. nova) use python-requests and could be used on client machines to access other OpenStack clouds
(In reply to Marcus Meissner from comment #1) > on SUSE cloud and on openSUSE only. ??? The packages are Also on SLE12.
(In reply to Dirk Mueller from comment #4) They are on sle-ha 12.0 and sle-module-public-cloud 12.0, which probably didn't exist when Marcus wrote this comment.
CVE-2014-1829 ============= https://github.com/kennethreitz/requests/pull/1892 ( f1893c835570d72823c970fbd6e0e42c13b1f0f2 ) with these changes: 7ba5a534ae9fc24e40b3ae6c480c9075d684727e 326a22e8880c1dba52698a479eb7b6038d5b2e87 d9f34c6848b9b313beefa7d3ce05f52fdea28c27 commit d9f34c6848b9b313beefa7d3ce05f52fdea28c27 Author: Cory Benfield <lukasaoz@gmail.com> Date: Fri Jan 31 07:36:44 2014 +0000 Respect trust_env on redirect. commit 326a22e8880c1dba52698a479eb7b6038d5b2e87 Author: Cory Benfield <lukasaoz@gmail.com> Date: Thu Jan 30 15:11:24 2014 +0000 Better layout for checking. commit 7ba5a534ae9fc24e40b3ae6c480c9075d684727e Author: Cory Benfield <lukasaoz@gmail.com> Date: Wed Jan 29 19:13:46 2014 +0000 Repopulate ~/.netrc auth. The SUSE products which were affected are now out of support. openSUSE 13.2 and up not affected. The change merges to 1.2.3 and openSUSE 13.1 is affected. CVE-2014-1830 ============= same versions. Single: https://github.com/kennethreitz/requests/commit/4d8cb3244e8e4f84b250c10a48e025f9a8bf6137 https://github.com/kennethreitz/requests/commit/4d8cb3244e8e4f84b250c10a48e025f9a8bf6137.patch With more corrections: https://github.com/kennethreitz/requests/commit/fe4c4f146124d7fba2e680581a5d6b9d98e3fdf8 https://github.com/kennethreitz/requests/commit/fe4c4f146124d7fba2e680581a5d6b9d98e3fdf8.patch
This is an autogenerated message for OBS integration: This bug (897658) was mentioned in https://build.opensuse.org/request/show/355260 13.1 / python-requests
openSUSE-SU-2016:0246-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 897658 CVE References: CVE-2014-1830 Sources used: openSUSE 13.1 (src): python-requests-1.2.3-4.3.1
update is released