Wednesday, October 31, 2018

Re: SECURITY UPDATE: www/py-requests 2.20.0

On Wed, 31 Oct 2018 18:19:11 -0500, Edward Lopez-Acosta
<elopezacosta@gmail.com> wrote:

> Changelog:
> - Fixed in 2.20.0 - CVE 2018-18074
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074
>
> The Requests package before 2.20.0 for Python sends an HTTP
> Authorization header to an http URI upon receiving a same-hostname
> https-to-http redirect, which makes it easier for remote attackers to
> discover credentials by sniffing the network.
>
> Diff attached. Builds fine on amd64 and only thing that requires it
> is upt-pypi (limited to py3 variant).
>
> Ok to merge?

The update looks good. The PLIST diff doesn't seem to be needed on my
side (and is removed if I regen the plist). I'd like to commit it
really soon. 2.20.0. was tagged two weeks ago so I guess it should be
fine as there's no .1 :)

Any objection? (or ok)

I'd like to add it to quirks as well. I'm not clever enough for the cve
stuff and I don't have any flavour example, is this diff correct?


Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.634
diff -u -p -r1.634 Makefile
--- Makefile 31 Oct 2018 23:01:55 -0000 1.634
+++ Makefile 1 Nov 2018 00:23:47 -0000
@@ -5,7 +5,7 @@ CATEGORIES = devel databases
DISTFILES =

# API.rev
-PKGNAME = quirks-3.27
+PKGNAME = quirks-3.28
PKG_ARCH = *
MAINTAINER = Marc Espie <espie@openbsd.org>

Index: files/Quirks.pm
===================================================================
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.648
diff -u -p -r1.648 Quirks.pm
--- files/Quirks.pm 31 Oct 2018 23:01:55 -0000 1.648
+++ files/Quirks.pm 1 Nov 2018 00:23:47 -0000
@@ -1212,6 +1212,8 @@ my $cve = {
'www/iridium' => 'iridium-<2018.5.67',
'www/mozilla-firefox' => 'firefox-<62.0.2p0',
'www/p5-CGI-Application' => 'p5-CGI-Application-<4.50p0',
+ 'www/py-requests' => 'py-requests-<2.20.0',
+ 'www/py-requests,python3' => 'py3-requests-<2.20.0',
'www/webkitgtk4' => 'webkitgtk4-<2.20.5',
'x11/gnome/gdm' => 'gdm-<3.28.3',
};

No comments:

Post a Comment