Advisories » MGASA-2015-0120

Updated python-requests packages fix security vulnerability

Publication date: 27 Mar 2015
Modification date: 27 Mar 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-2296

Description

In python-requests before 2.6.0, a cookie without a host value set would use
the hostname for the redirected URL exposing requests users to session
fixation attacks and potentially cookie stealing (CVE-2015-2296).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15496
• https://warehouse.python.org/project/requests/2.6.0/
• http://openwall.com/lists/oss-security/2015/03/15/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296

SRPMS

4/core

• python-requests-2.3.0-1.2.mga4