what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2015-133

Mandriva Linux Security Advisory 2015-133
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-133 - Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file. It was discovered that the python-requests Proxy-Authorization header was never re-evaluated when a redirect occurs. The Proxy-Authorization header was sent to any new proxy or non-proxy destination as redirected. In python-requests before 2.6.0, a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.

tags | advisory, python
systems | linux, mandriva
advisories | CVE-2014-1829, CVE-2014-1830, CVE-2015-2296
SHA-256 | c16596fd1421f61f65bec780385bab621cf701455989361dc3437d3ee0d43c9b

Mandriva Linux Security Advisory 2015-133

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:133
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-requests
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated python-requests packages fix security vulnerabilities:

Python-requests was found to have a vulnerability, where the attacker
can retrieve the passwords from ~/.netrc file through redirect
requests, if the user has their passwords stored in the ~/.netrc file
(CVE-2014-1829).

It was discovered that the python-requests Proxy-Authorization header
was never re-evaluated when a redirect occurs. The Proxy-Authorization
header was sent to any new proxy or non-proxy destination as redirected
(CVE-2014-1830).

In python-requests before 2.6.0, a cookie without a host value set
would use the hostname for the redirected URL exposing requests
users to session fixation attacks and potentially cookie stealing
(CVE-2015-2296).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296
http://advisories.mageia.org/MGASA-2014-0409.html
http://advisories.mageia.org/MGASA-2015-0120.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
bdc01b89f7847864db186b65cd1d46a4 mbs2/x86_64/python3-requests-2.3.0-1.1.mbs2.noarch.rpm
003bc0e04b5ebf77bcf00cf004d2591b mbs2/x86_64/python-requests-2.3.0-1.1.mbs2.noarch.rpm
18db7d8b658c588b49979966fce6577d mbs2/SRPMS/python-requests-2.3.0-1.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF85CmqjQ0CJFipgRApDzAJ94/bIyj7xjen0f8z7CAVYB4tM0JACfSyCR
UgtMpK/ETCrGT6qesmteJ5Q=
=I7Gj
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close