From ${URL} : Last night, Matthew Daley (CC'd on this email) privately disclosed to the requests project a vulnerability in requests which has now been fixed in requests v2.6.0 (https://warehouse.python.org/project/requests/2.6.0/) by this commit: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc. The following is the relevant excerpts from the description provided by Matthew: The issue occurs when Requests is handling a HTTP response that is a redirection and that also sets cookies without an explicit domain parameter. Instead of the cookies only being set for the domain which sent the HTTP response, they are also sent to the redirection target, regardless of its domain. The issue could be exploited in the following ways: * If you are the redirection source (ie. you can make Requests hit your URL), you can make Requests perform a request to any third-party domain with cookies of your choosing. This may be useful in performing a session fixation attack. * If you are the redirection target (ie. you can make a third-party site redirect to your URL), you are able to steal any cookies set by the third-party redirection. The change that introduced this vulnerability was first included in version 2.1.0 of requests. As such every version since that version up to and including 2.5.3 are vulnerable to this attack. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*requests-2.6.0 (26 Mar 2015) 26 Mar 2015; Patrick Lauer <patrick@gentoo.org> +requests-2.6.0.ebuild: Bump
@arches please stabilize dev-python/requests-2.6.0
Stable for HPPA.
Arches, please test and mark stable: =dev-python/requests-2.6.0 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you!
CVE-2015-2296 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2296): The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
amd64 stable
x86 stable
ppc64 stable
ppc stable
alpha stable
ia64 stable
sparc stable
arm stable, all arches done.
+ 21 May 2015; Justin Lecher <jlec@gentoo.org> + -files/requests-1.2.0-system-cacerts.patch, + -files/requests-1.2.0-system-libs.patch, + -files/requests-1.2.1-urllib3-py3.patch, -requests-2.3.0.ebuild: + Drop vulnerable version, bug #543480 + Cleaned.
Arches and Maintainer(s), Thank you for your work. Security Please Vote First GLSA Vote: Yes
I vote NO, tiebreaker required.
Vote: NO, closing.
