"The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network." (Source: NVD) * Upstream issue: https://github.com/requests/requests/issues/4716 * Patch: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff -- Gentoo Security Scout Vladimir Krstulja
*** Bug 669942 has been marked as a duplicate of this bug. ***
https://github.com/requests/requests/blob/v2.20.0/HISTORY.md
ping python@..
The updated ebuild has been in the tree for a while now. Arches, please stabilize. Thanks!
arm64 stable
sparc done
ppc64 stable
ppc stable
ia64 stable
hppa stable
arm stable
x86 stable
amd64 stable
alpha stable
sh stable
s390 stable
m68k stable
@maintainer, please drop vulnerable.
At a first glance, stable version of app-emulation/docker-compose is in the way. Filed [1] to look for more. [1]:https://github.com/gentoo/gentoo/pull/11325
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa525ecc052be76963def5685c8b9079024a3973 commit aa525ecc052be76963def5685c8b9079024a3973 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2019-03-10 08:33:34 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2019-03-10 08:33:34 +0000 dev-python/requests: Security cleanup Closes: https://bugs.gentoo.org/668716 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-python/requests/Manifest | 1 - dev-python/requests/requests-2.18.4-r1.ebuild | 52 --------------------------- 2 files changed, 53 deletions(-)
