Debian Bug report logs -
#780506
requests: CVE-2015-2296: session fixation and cookie stealing issue
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 15 Mar 2015 06:09:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version requests/2.4.3-4
Fixed in version requests/2.4.3-6
Done: Daniele Tricoli <eriol@mornie.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#780506; Package src:requests.
(Sun, 15 Mar 2015 06:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sun, 15 Mar 2015 06:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: requests
Version: 2.4.3-4
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for requests.
CVE-2015-2296[0]:
session fixation and cookie stealing
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-2296
[1] https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
[2] http://www.openwall.com/lists/oss-security/2015/03/14/4
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#780506; Package src:requests.
(Sun, 15 Mar 2015 12:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniele Tricoli <eriol@mornie.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Sun, 15 Mar 2015 12:33:08 GMT) (full text, mbox, link).
Message #10 received at 780506@bugs.debian.org (full text, mbox, reply):
Hello Salvatore,
Salvatore Bonaccorso wrote:
> Hi,
>
> the following vulnerability was published for requests.
>
> CVE-2015-2296[0]:
> session fixation and cookie stealing
Thanks for notifing, I was alredy update by upstream. I'im going to work on
this today.
Kind regards,
--
Daniele Tricoli 'Eriol'
http://mornie.org
Added tag(s) pending.
Request was from eriol-guest@users.alioth.debian.org
to control@bugs.debian.org.
(Mon, 16 Mar 2015 01:03:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#780506; Package src:requests.
(Mon, 16 Mar 2015 11:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Watkins <daniel.watkins@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 16 Mar 2015 11:21:05 GMT) (full text, mbox, link).
Message #17 received at 780506@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
I've written a simple reproduction script for the CVE, which validates
whether or not the issue is fixed.
You can find it at
https://gist.github.com/OddBloke/211ff98b63a8cfb3f6d4; all you need
installed is python-bottle (for HTTP serving).
Dan
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#780506; Package src:requests.
(Mon, 16 Mar 2015 15:18:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniele Tricoli <eriol@mornie.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 16 Mar 2015 15:18:08 GMT) (full text, mbox, link).
Message #22 received at 780506@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Daniel,
On Monday 16 March 2015 11:18:42 Daniel Watkins wrote:
> I've written a simple reproduction script for the CVE, which validates
> whether or not the issue is fixed.
I patched requests yesterday and I made a pre unblock request: RT agrees for
unblocking requests 2.4.3-6 with the fix for CVE-2015-2296. Now I will test
the package using your script before the upload. Many thanks!
Cheers,
--
Daniele Tricoli 'Eriol'
http://mornie.org
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Daniele Tricoli <eriol@mornie.org>:
You have taken responsibility.
(Mon, 16 Mar 2015 23:06:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Mar 2015 23:06:09 GMT) (full text, mbox, link).
Message #27 received at 780506-close@bugs.debian.org (full text, mbox, reply):
Source: requests
Source-Version: 2.4.3-6
We believe that the bug you reported is fixed in the latest version of
requests, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780506@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniele Tricoli <eriol@mornie.org> (supplier of updated requests package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Mar 2015 01:31:10 +0100
Source: requests
Binary: python-requests python3-requests python-requests-whl
Architecture: source all
Version: 2.4.3-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Daniele Tricoli <eriol@mornie.org>
Description:
python-requests - elegant and simple HTTP library for Python2, built for human bein
python-requests-whl - elegant and simple HTTP library for Python, built for human being
python3-requests - elegant and simple HTTP library for Python3, built for human bein
Closes: 780506
Changes:
requests (2.4.3-6) unstable; urgency=medium
.
* debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
- Fix session fixation and cookie stealing: CVE-2015-2296.
(Closes: #780506)
Checksums-Sha1:
10a2f07be9a9c7de754465b27377b0acb74215c7 2272 requests_2.4.3-6.dsc
51ea18c911f5546fe1e7890758886fe0f3d9a3b9 8688 requests_2.4.3-6.debian.tar.xz
b1b9b89af2facc5136c18eee46876eb7157e7d7f 203612 python-requests_2.4.3-6_all.deb
cc07baad7fb756c076f36ebb3c4c01aefda98d0b 203338 python3-requests_2.4.3-6_all.deb
716b963f6d5b94471ebe77bec4407fe46776ba16 241038 python-requests-whl_2.4.3-6_all.deb
Checksums-Sha256:
44437f9970857a1dea8558adb86e46ffb808da547c24ab5121009d999d75701e 2272 requests_2.4.3-6.dsc
e10d3fd38ca599f34c8a90787dc379b954dc52b3bbfac30b166801aa1ef52bf2 8688 requests_2.4.3-6.debian.tar.xz
6ff5c6a721286e78750e9ba071486ec4306994fb064b29bd59f8e07d7f64de6a 203612 python-requests_2.4.3-6_all.deb
051fe280c14392a0e6ba0fcd920e2652fa6003b20d1d5739bfdaa96f3607ab97 203338 python3-requests_2.4.3-6_all.deb
242bf9fff857739094d20bf95b86f1bdca90ebbc1e5093ed87ba328b6f338792 241038 python-requests-whl_2.4.3-6_all.deb
Files:
fd978d483db5d29a68a69c8757504384 2272 python optional requests_2.4.3-6.dsc
6af358a2a1f185cd3b32db311cea3fd2 8688 python optional requests_2.4.3-6.debian.tar.xz
92533571f12be406824aa8a7971fdb95 203612 python optional python-requests_2.4.3-6_all.deb
b12322c976caa895a1bc844831cfde54 203338 python optional python3-requests_2.4.3-6_all.deb
3d90b8d8a7600196584ffba0561cdf55 241038 python optional python-requests-whl_2.4.3-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVB169AAoJEK728aKnRXZFbSEP/1XHWIAQ5MyoBRmBasXzxD8E
OvIDHaqVgsuxTs7l17a8mRBT1hoYOtYl3sRpYxkXUd4DwjshWQYv3hDOmg9FErvg
z8tCR4LqOZkZWsSHX4H488uLw2cCDswYk/5UNBBaPbwGsrZjEqPgFFHQFPl4ntUW
wLlPi1bghxIVZ4qMEa+71Nx1rtx+D8PTCcW8PyYtI00x6kvP0BrDilGJwzWMbNWB
IQqE0LyPhEx96Qhjv3i2J8Me50ZpTy0aSHO0YJEFDBHEw9TPxe0C4dGCHE5jY2u6
bzy9BwNlowJD2mVkhopGnjCVcTLDg8jWdtqLTw9wAyi9TRNHXTe85GitGVHrC7Ya
wvnmoTyhemkTjw2ccIb9PfaeciCcpRys8rN15Frucu6qWMCvnqBdH1Z3aGytQfTG
w3UPpgW3PLrNarf796vW24UGrGsLu3Y4tVVCaYT+XBEymAixmMmxATRKowB/rU8e
dyPY26h82cwZ/ZbMsViLYyZvRHatRi8KeG3BYuMOQefrgJ31cuKOvY51u7357qID
XPLTlzMezGEkTGWDmrZnBQHYhf/vJujQg0e/eYm8gD7AYubUm2TSdkzHKEn9FHN5
a/cgCrH0bx4AklBuPggvayDh04CsXhI6Ty0+jQ9WUeM9S/SARd3cliSesuDcLYVO
liOU0kw+1V1kHlmOwhEt
=gAee
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Apr 2015 07:26:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:45:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon