Debian Bug report logs -
#733108
python3-requests: redirect can expose netrc password
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#733108
; Package python3-requests
.
(Wed, 25 Dec 2013 16:45:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: python3-requests
Version: 2.0.0-1
Tags: security
If site A redirects to site B, and user had a password for site A in
their ~/.netrc, then requests would send authorization information both
to site A and to site B.
I've attached a netrc file and a pair of test scripts that should help
reproducing the bug.
--
Jakub Wilk
[testhttpserver.py (text/x-python, attachment)]
[testhttpclient.py (text/x-python, attachment)]
[.netrc (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#733108
; Package python3-requests
.
(Mon, 27 Jan 2014 17:30:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniele Tricoli <eriol@mornie.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 27 Jan 2014 17:30:18 GMT) (full text, mbox, link).
Message #8 received at 733108@bugs.debian.org (full text, mbox, reply):
forwarded 733108 https://github.com/kennethreitz/requests/issues/1885
tags 733108 confirmed
thanks
On Wednesday 25 December 2013 17:40:43 Jakub Wilk wrote:
> I've attached a netrc file and a pair of test scripts that should help
> reproducing the bug.
Many thanks for the report! I forwarded it upstream.
Kind regards,
--
Daniele Tricoli 'Eriol'
http://mornie.org
Added tag(s) confirmed.
Request was from Daniele Tricoli <eriol@mornie.org>
to control@bugs.debian.org
.
(Mon, 27 Jan 2014 17:30:38 GMT) (full text, mbox, link).
Reply sent
to Jakub Wilk <jwilk@debian.org>
:
You have taken responsibility.
(Tue, 16 Sep 2014 21:54:16 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>
:
Bug acknowledged by developer.
(Tue, 16 Sep 2014 21:54:16 GMT) (full text, mbox, link).
Message #17 received at 733108-done@bugs.debian.org (full text, mbox, reply):
Version: 2.3.0-1
It looks like the bug was fixed upstream in 2.3.0:
>- No longer expose Authorization or Proxy-Authorization headers on
>redirect. Fix CVE-2014-1829 and CVE-2014-1830 respectively.
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#733108
; Package python3-requests
.
(Tue, 16 Sep 2014 23:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniele Tricoli <eriol@mornie.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Tue, 16 Sep 2014 23:09:04 GMT) (full text, mbox, link).
Message #22 received at 733108@bugs.debian.org (full text, mbox, reply):
Hello Jakub,
On Tuesday 16 September 2014 23:50:56 Jakub Wilk wrote:
> Version: 2.3.0-1
>
> It looks like the bug was fixed upstream in 2.3.0:
Thanks for taking care of closing this. I received the notification from
github, but I will work on requests (I plan to update to 2.4.1) on the
weekend.
To acknowledge the fix of this security bug, I should put something in the
changelog anyway, right?
Something like this:
* Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
(Closes: #733108)
Developer reference[¹] says: "When closing security bugs include CVE numbers
as well as the Closes: #nnnnn. This is useful for the security team to track
vulnerabilities. If an upload is made to fix the bug before the advisory ID is
known, it is encouraged to modify the historical changelog entry with the next
upload."
So using "Closes: #733108" although the bug is arleady closed seems ok to me,
is that right?
Many thanks!
Kind regards,
[¹] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#newpackage
--
Daniele Tricoli 'Eriol'
http://mornie.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#733108
; Package python3-requests
.
(Fri, 19 Sep 2014 20:21:10 GMT) (full text, mbox, link).
Message #25 received at 733108@bugs.debian.org (full text, mbox, reply):
Hi Daniele!
[Bug submitters don't automatically receive BTS message copies. You need
to CC them explicitly. I saw your message only by chance...]
* Daniele Tricoli <eriol@mornie.org>, 2014-09-17, 01:06:
>To acknowledge the fix of this security bug, I should put something in
>the changelog anyway, right?
>Something like this:
> * Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
> (Closes: #733108)
>
>Developer reference[¹] says: "When closing security bugs include CVE
>numbers as well as the Closes: #nnnnn. This is useful for the security
>team to track vulnerabilities. If an upload is made to fix the bug
>before the advisory ID is known, it is encouraged to modify the
>historical changelog entry with the next upload."
As the DevRef suggests, you should retroactively add the CVE reference
to the changelog entry for 2.3.0-1, so don't mention "in 2.3.0-1".
>So using "Closes: #733108" although the bug is arleady closed seems ok
>to me, is that right?
Yup, that should be fine.
--
Jakub Wilk
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 18 Oct 2014 07:26:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:50:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.