Debian Security Advisory DSA 3146-1 (requests - Security Update) Network Vulnerability

Summary

Jakub Wilk discovered that in requests, an HTTP library for the Python language, authentication information was improperly handled when a redirect occured. This would allow remote servers to obtain two different types of sensitive information: proxy passwords from the Proxy-Authorization header (CVE-2014-1830), or netrc passwords from the Authorization header (CVE-2014-1829).

Solution

For the stable distribution (wheezy), this problem has been fixed in version 0.12.1-1+deb7u1. For the upcoming stable distribution (jessie) and unstable distribution (sid), this problem has been fixed in version 2.3.0-1. We recommend that you upgrade your requests packages.

Affected

requests on Debian Linux

Detection

This check tests the installed software version using the apt package manager.

References

http://www.debian.org/security/2015/dsa-3146.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-1829, CVE-2014-1830

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Debian Security Advisory DSA 036-1 (mc)
Debian Security Advisory DSA 1155-2 (sendmail)
Debian Security Advisory DSA 1094-1 (gforge)
Debian Security Advisory DSA 1059-1 (quagga)
Debian Security Advisory DSA 080-1 (htdig)

Debian Security Advisory DSA 3146-1 (requests - security update)

Take action and discover your vulnerabilities