Advisories » MGASA-2014-0409

Updated python-requests packages fix security vulnerabilities

Publication date: 09 Oct 2014
Modification date: 09 Oct 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-1829 , CVE-2014-1830

Description

Updated python-requests packages fix security vulnerability:

Python-requests was found to have a vulnerability, where the attacker can
retrieve the passwords from ~/.netrc file through redirect requests, if the
user has their passwords stored in the ~/.netrc file (CVE-2014-1829).

It was discovered that the python-requests Proxy-Authorization header was
never re-evaluated when a redirect occurs. The Proxy-Authorization header
was sent to any new proxy or non-proxy destination as redirected
(CVE-2014-1830).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14130
• https://bugzilla.redhat.com/show_bug.cgi?id=1046626
• https://bugzilla.redhat.com/show_bug.cgi?id=1144907
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830

SRPMS

4/core

• python-requests-2.3.0-1.mga4