requests: CVE-2018-18074

Debian Bug report logs - #910766
requests: CVE-2018-18074

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: requests: CVE-2018-18074

Date: Wed, 10 Oct 2018 22:50:47 +0200

Source: requests
Version: 2.18.4-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/requests/requests/issues/4716

Hi,

The following vulnerability was published for requests.

CVE-2018-18074[0]:
| The Requests package through 2.19.1 before 2018-09-14 for Python sends
| an HTTP Authorization header to an http URI upon receiving a
| same-hostname https-to-http redirect, which makes it easier for remote
| attackers to discover credentials by sniffing the network.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-18074
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074
[1] https://github.com/requests/requests/issues/4716
[2] https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
[3] https://github.com/requests/requests/pull/4718

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 910766@bugs.debian.org (full text, mbox, reply):

From: Daniele Tricoli <eriol@mornie.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 910766@bugs.debian.org

Subject: Re: Bug#910766: requests: CVE-2018-18074

Date: Thu, 11 Oct 2018 03:19:53 +0200

[Message part 1 (text/plain, inline)]

Hello Salvatore,

On 10/10/18 10:50 PM, Salvatore Bonaccorso wrote:
> The following vulnerability was published for requests.
> 
> CVE-2018-18074[0]:
> | The Requests package through 2.19.1 before 2018-09-14 for Python sends
> | an HTTP Authorization header to an http URI upon receiving a
> | same-hostname https-to-http redirect, which makes it easier for remote
> | attackers to discover credentials by sniffing the network.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Many thanks for the report! I will work on this by the end of the week.

Kind regards,

-- 
 Daniele Tricoli 'eriol'
 https://mornie.org

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 910766-close@bugs.debian.org (full text, mbox, reply):

From: Daniele Tricoli <eriol@mornie.org>

To: 910766-close@bugs.debian.org

Subject: Bug#910766: fixed in requests 2.20.0-1

Date: Thu, 25 Oct 2018 02:37:04 +0000

Source: requests
Source-Version: 2.20.0-1

We believe that the bug you reported is fixed in the latest version of
requests, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 910766@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniele Tricoli <eriol@mornie.org> (supplier of updated requests package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Oct 2018 03:50:50 +0200
Source: requests
Binary: python-requests python3-requests
Architecture: source all
Version: 2.20.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Daniele Tricoli <eriol@mornie.org>
Description:
 python-requests - elegant and simple HTTP library for Python2, built for human bein
 python3-requests - elegant and simple HTTP library for Python3, built for human bein
Closes: 910766
Changes:
 requests (2.20.0-1) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * d/control: Remove ancient X-Python-Version field
   * d/control: Remove ancient X-Python3-Version field
   * Convert git repository from git-dpm to gbp layout
 .
   [ Daniele Tricoli ]
   * New upstream release.
     - Fix CVE-2018-18074 (Closes: #910766)
   * Add gbp.conf.
   * debian/control
     - Bump python{,3}-urllib3 (>= 1.21.1) (<< 1.25).
     - Bump Standards-Version to 4.2.1 (no changes needed).
   * debian/copyright
     - Update upstream copyright year.
     - Update Source field to point to new PyPI URL.
   * debian/docs
     - Rename README.rst to README.md.
   * debian/rules
     - Rename HISTORY.rst to HISTORY.md.
   * debian/watch
     - Remove pgpsigurlmangle since upstream is not signing releases anymore.
   * debian/upstream/signing-key.asc
     - Remove upstream signing-key.asc since not used anymore.
Checksums-Sha1:
 33a85507e115e70d9201eba84cc9da86051abd4d 2381 requests_2.20.0-1.dsc
 814a0954406fa7826f5a237865c8705d7e01edea 111179 requests_2.20.0.orig.tar.gz
 c71792d9d2ec6640507c37f2bf4e3f71622e9aac 6364 requests_2.20.0-1.debian.tar.xz
 a083efccf33a611663c11bfb7d44bc9373f80f42 66772 python-requests_2.20.0-1_all.deb
 accfacd31d3cd15936503d7f6d475df56b7f0adc 66588 python3-requests_2.20.0-1_all.deb
 a1a88313fef5ee2db619eedeab640793ff3ce9e1 7271 requests_2.20.0-1_amd64.buildinfo
Checksums-Sha256:
 b37efeb50acb7ae8ca01cb40682262f6aec56a3b6859674f5e51fe479243789a 2381 requests_2.20.0-1.dsc
 99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c 111179 requests_2.20.0.orig.tar.gz
 fc7ea6fc6915d17717534b9604cae7d197dbd6fd567ea453adc47fe85560536f 6364 requests_2.20.0-1.debian.tar.xz
 5dcb779e298379b1d3eddb2fc49e39c3d2a9cdea4bc9e983806a45c99896142a 66772 python-requests_2.20.0-1_all.deb
 d02071aada0e9eedd651bca5bc51c65218fe4a17faf1425065f4fbfa0591b1b6 66588 python3-requests_2.20.0-1_all.deb
 df1f4032079820e30edc40551bb874795b698275b362384d242db1ae445ac6fe 7271 requests_2.20.0-1_amd64.buildinfo
Files:
 9745abc55ae6257eb43d5e1785513541 2381 python optional requests_2.20.0-1.dsc
 cf034ab571854453719594120366f467 111179 python optional requests_2.20.0.orig.tar.gz
 5b7f8c234fb9bdec06a059fca3a0779a 6364 python optional requests_2.20.0-1.debian.tar.xz
 7b1391ede41e98ebd762c9ea80f2e82d 66772 python optional python-requests_2.20.0-1_all.deb
 1d9d7364ad6103047b29f3567b293651 66588 python optional python3-requests_2.20.0-1_all.deb
 8b439663194d181b2e0f20e6e4be23cf 7271 python optional requests_2.20.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExlrvn+W/jMvW7bAZi69SLA1szt0FAlvRJWAACgkQi69SLA1s
zt3exBAAm3O9eINqGSsqoRJ3R3t8V1aAGCWgJ0Yua0g5gGYKQ740cHHGmA4OJ3rI
W7iWYFUeL3R7l/cNsjw1OuYLZi9DlNZbOwHF4fthtZFhuqzoGOP+Fxte+xRZdtXs
S9fJ/Gt0WEt+72/SHGGiwmjL0Q3HBksCr0W8fJWiPAB4U2VcbQLJ40UVsN0+9syA
5LwrCMtSpLHcgTUYa3p4nzRQrsF1zKXC9vvDDEvboz3iIaJxajZVQaBQCYOpUObp
KcRVEnp18dvKwCQNmh5sQO85/VGe6qwiNBmlwcZ3pPyR0Rdglq5jlUI5fnzKKdl7
lh/fBrQlyAwH9nC26k/3H4/pW5qS+j0rehY33xcyExGWt7OhxnMdSAA//AUDAMaX
dJgodXfW3HmFfcPaRFYAOqpPZjy2H7yMOe6dr87mGJSEapZh4bAeV7aMPGF199CP
uKgaN5mKat5V8M81GY1WXI208Ku8SOectz81HMuR2JTjATu/pWpUvzG6Xvwr7rnO
61CLU+L7xsEl7Zl/xAcsAA9GnLGTm+UeXoFEfF70TFEi5yo1lcCuxykZkH5YXonW
fMzDHw3HalhAVz1mZOq22gGC2fBRaMqN12FBxltPxiSve54wVDRaCQcjujFPad7n
pfRtoRLDrG7f5Ad3Z5LsgXUu0+FuLB1HlTV2k63heQDcqp06INY=
=GGrs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.