Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Mehrere Probleme in python-requests
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in python-requests
ID: MDVSA-2015:133
Distribution: Mandriva
Plattformen: Mandriva Business Server 2.0
Datum: So, 29. März 2015, 14:11
Referenzen: http://advisories.mageia.org/MGASA-2014-0409.html
http://advisories.mageia.org/MGASA-2015-0120.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296

Originalnachricht

This is a multi-part message in MIME format...

------------=_1427627352-10360-33

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:133
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-requests
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated python-requests packages fix security vulnerabilities:

Python-requests was found to have a vulnerability, where the attacker
can retrieve the passwords from ~/.netrc file through redirect
requests, if the user has their passwords stored in the ~/.netrc file
(CVE-2014-1829).

It was discovered that the python-requests Proxy-Authorization header
was never re-evaluated when a redirect occurs. The Proxy-Authorization
header was sent to any new proxy or non-proxy destination as redirected
(CVE-2014-1830).

In python-requests before 2.6.0, a cookie without a host value set
would use the hostname for the redirected URL exposing requests
users to session fixation attacks and potentially cookie stealing
(CVE-2015-2296).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296
http://advisories.mageia.org/MGASA-2014-0409.html
http://advisories.mageia.org/MGASA-2015-0120.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
bdc01b89f7847864db186b65cd1d46a4
mbs2/x86_64/python3-requests-2.3.0-1.1.mbs2.noarch.rpm
003bc0e04b5ebf77bcf00cf004d2591b
mbs2/x86_64/python-requests-2.3.0-1.1.mbs2.noarch.rpm
18db7d8b658c588b49979966fce6577d
mbs2/SRPMS/python-requests-2.3.0-1.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF85CmqjQ0CJFipgRApDzAJ94/bIyj7xjen0f8z7CAVYB4tM0JACfSyCR
UgtMpK/ETCrGT6qesmteJ5Q=
=I7Gj
-----END PGP SIGNATURE-----


------------=_1427627352-10360-33
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________


------------=_1427627352-10360-33--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung