Mandriva Linux Security Advisory 2015-133 - Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from ~/.netrc file through redirect requests, if the user has their passwords stored in the ~/.netrc file. It was discovered that the python-requests Proxy-Authorization header was never re-evaluated when a redirect occurs. The Proxy-Authorization header was sent to any new proxy or non-proxy destination as redirected. In python-requests before 2.6.0, a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.
c16596fd1421f61f65bec780385bab621cf701455989361dc3437d3ee0d43c9b
Ubuntu Security Notice 2531-1 - Matthew Daley discovered that Requests incorrectly handled cookies without host values when being redirected. A remote attacker could possibly use this issue to perform session fixation or cookie stealing attacks.
3b5dfa3d2870523dde7bcde40ac0889a5386922682bebc6bf6ce36c3c40c4224