CVE-2015-2296

Related Files

Mandriva Linux Security Advisory 2015-133

Posted Mar 30, 2015

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-133 - Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file. It was discovered that the python-requests Proxy-Authorization header was never re-evaluated when a redirect occurs. The Proxy-Authorization header was sent to any new proxy or non-proxy destination as redirected. In python-requests before 2.6.0, a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.

tags | advisory, python

systems | linux, mandriva

advisories | CVE-2014-1829, CVE-2014-1830, CVE-2015-2296

SHA-256 | c16596fd1421f61f65bec780385bab621cf701455989361dc3437d3ee0d43c9b

Download | Favorite | View

Ubuntu Security Notice USN-2531-1

Posted Mar 16, 2015

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2531-1 - Matthew Daley discovered that Requests incorrectly handled cookies without host values when being redirected. A remote attacker could possibly use this issue to perform session fixation or cookie stealing attacks.

tags | advisory, remote

systems | linux, ubuntu

advisories | CVE-2015-2296

SHA-256 | 3b5dfa3d2870523dde7bcde40ac0889a5386922682bebc6bf6ce36c3c40c4224

Download | Favorite | View