Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-1829 CVE-2014-1830

Source

Debian Bug report logs - #733108
python3-requests: redirect can expose netrc password

Package: python3-requests; Maintainer for python3-requests is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python3-requests is src:requests (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Wed, 25 Dec 2013 16:45:02 UTC

Severity: normal

Tags: confirmed, security

Found in version requests/2.0.0-1

Fixed in version 2.3.0-1

Done: Jakub Wilk <jwilk@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/kennethreitz/requests/issues/1885

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#733108; Package python3-requests. (Wed, 25 Dec 2013 16:45:06 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: python3-requests
Version: 2.0.0-1
Tags: security

If site A redirects to site B, and user had a password for site A in 
their ~/.netrc, then requests would send authorization information both 
to site A and to site B.

I've attached a netrc file and a pair of test scripts that should help 
reproducing the bug.

-- 
Jakub Wilk

[testhttpserver.py (text/x-python, attachment)]

[testhttpclient.py (text/x-python, attachment)]

[.netrc (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#733108; Package python3-requests. (Mon, 27 Jan 2014 17:30:18 GMT) (full text, mbox, link).

Acknowledgement sent to Daniele Tricoli <eriol@mornie.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Mon, 27 Jan 2014 17:30:18 GMT) (full text, mbox, link).

Message #8 received at 733108@bugs.debian.org (full text, mbox, reply):

forwarded 733108 https://github.com/kennethreitz/requests/issues/1885
tags 733108 confirmed
thanks

On Wednesday 25 December 2013 17:40:43 Jakub Wilk wrote:
> I've attached a netrc file and a pair of test scripts that should help 
> reproducing the bug.

Many thanks for the report! I forwarded it upstream.

Kind regards,

-- 
 Daniele Tricoli 'Eriol'
 http://mornie.org

Set Bug forwarded-to-address to 'https://github.com/kennethreitz/requests/issues/1885'. Request was from Daniele Tricoli <eriol@mornie.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 17:30:37 GMT) (full text, mbox, link).

Added tag(s) confirmed. Request was from Daniele Tricoli <eriol@mornie.org> to control@bugs.debian.org. (Mon, 27 Jan 2014 17:30:38 GMT) (full text, mbox, link).

Reply sent to Jakub Wilk <jwilk@debian.org>:
You have taken responsibility. (Tue, 16 Sep 2014 21:54:16 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Tue, 16 Sep 2014 21:54:16 GMT) (full text, mbox, link).

Message #17 received at 733108-done@bugs.debian.org (full text, mbox, reply):

Version: 2.3.0-1

It looks like the bug was fixed upstream in 2.3.0:

>- No longer expose Authorization or Proxy-Authorization headers on 
>redirect. Fix CVE-2014-1829 and CVE-2014-1830 respectively.

-- 
Jakub Wilk

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#733108; Package python3-requests. (Tue, 16 Sep 2014 23:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Daniele Tricoli <eriol@mornie.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Tue, 16 Sep 2014 23:09:04 GMT) (full text, mbox, link).

Message #22 received at 733108@bugs.debian.org (full text, mbox, reply):

Hello Jakub,

On Tuesday 16 September 2014 23:50:56 Jakub Wilk wrote:
> Version: 2.3.0-1
> 
> It looks like the bug was fixed upstream in 2.3.0:

Thanks for taking care of closing this. I received the notification from 
github, but I will work on requests (I plan to update to 2.4.1) on the 
weekend.

To acknowledge the fix of this security bug, I should put something in the 
changelog anyway, right?
Something like this:
  * Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
    (Closes: #733108)

Developer reference[¹] says: "When closing security bugs include CVE numbers 
as well as the Closes: #nnnnn. This is useful for the security team to track 
vulnerabilities. If an upload is made to fix the bug before the advisory ID is 
known, it is encouraged to modify the historical changelog entry with the next 
upload."

So using "Closes: #733108" although the bug is arleady closed seems ok to me, 
is that right?

Many thanks!

Kind regards,

[¹] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#newpackage

-- 
 Daniele Tricoli 'Eriol'
 http://mornie.org

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#733108; Package python3-requests. (Fri, 19 Sep 2014 20:21:10 GMT) (full text, mbox, link).

Message #25 received at 733108@bugs.debian.org (full text, mbox, reply):

Hi Daniele!

[Bug submitters don't automatically receive BTS message copies. You need 
to CC them explicitly. I saw your message only by chance...]

* Daniele Tricoli <eriol@mornie.org>, 2014-09-17, 01:06:
>To acknowledge the fix of this security bug, I should put something in 
>the changelog anyway, right?
>Something like this:
>  * Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
>    (Closes: #733108)
>
>Developer reference[¹] says: "When closing security bugs include CVE 
>numbers as well as the Closes: #nnnnn. This is useful for the security 
>team to track vulnerabilities. If an upload is made to fix the bug 
>before the advisory ID is known, it is encouraged to modify the 
>historical changelog entry with the next upload."

As the DevRef suggests, you should retroactively add the CVE reference 
to the changelog entry for 2.3.0-1, so don't mention "in 2.3.0-1".

>So using "Closes: #733108" although the bug is arleady closed seems ok 
>to me, is that right?

Yup, that should be fine.

-- 
Jakub Wilk

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 18 Oct 2014 07:26:49 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:50:45 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

python3-requests: redirect can expose netrc password

Debian Bug report logs - #733108
python3-requests: redirect can expose netrc password

Vulmon Search

About

Products

Connect

python3-requests: redirect can expose netrc password

Debian Bug report logs - #733108 python3-requests: redirect can expose netrc password

Vulmon Search

About

Products

Connect

Debian Bug report logs - #733108
python3-requests: redirect can expose netrc password