Your message dated Thu, 25 Oct 2018 02:37:04 +0000
with message-id <[email protected]>
and subject line Bug#910766: fixed in requests 2.20.0-1
has caused the Debian Bug report #910766,
regarding requests: CVE-2018-18074
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
910766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: requests
Version: 2.18.4-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/requests/requests/issues/4716
Hi,
The following vulnerability was published for requests.
CVE-2018-18074[0]:
| The Requests package through 2.19.1 before 2018-09-14 for Python sends
| an HTTP Authorization header to an http URI upon receiving a
| same-hostname https-to-http redirect, which makes it easier for remote
| attackers to discover credentials by sniffing the network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-18074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074
[1] https://github.com/requests/requests/issues/4716
[2]
https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
[3] https://github.com/requests/requests/pull/4718
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: requests
Source-Version: 2.20.0-1
We believe that the bug you reported is fixed in the latest version of
requests, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniele Tricoli <[email protected]> (supplier of updated requests package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Oct 2018 03:50:50 +0200
Source: requests
Binary: python-requests python3-requests
Architecture: source all
Version: 2.20.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Daniele Tricoli <[email protected]>
Description:
python-requests - elegant and simple HTTP library for Python2, built for human
bein
python3-requests - elegant and simple HTTP library for Python3, built for
human bein
Closes: 910766
Changes:
requests (2.20.0-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/control: Remove ancient X-Python-Version field
* d/control: Remove ancient X-Python3-Version field
* Convert git repository from git-dpm to gbp layout
.
[ Daniele Tricoli ]
* New upstream release.
- Fix CVE-2018-18074 (Closes: #910766)
* Add gbp.conf.
* debian/control
- Bump python{,3}-urllib3 (>= 1.21.1) (<< 1.25).
- Bump Standards-Version to 4.2.1 (no changes needed).
* debian/copyright
- Update upstream copyright year.
- Update Source field to point to new PyPI URL.
* debian/docs
- Rename README.rst to README.md.
* debian/rules
- Rename HISTORY.rst to HISTORY.md.
* debian/watch
- Remove pgpsigurlmangle since upstream is not signing releases anymore.
* debian/upstream/signing-key.asc
- Remove upstream signing-key.asc since not used anymore.
Checksums-Sha1:
33a85507e115e70d9201eba84cc9da86051abd4d 2381 requests_2.20.0-1.dsc
814a0954406fa7826f5a237865c8705d7e01edea 111179 requests_2.20.0.orig.tar.gz
c71792d9d2ec6640507c37f2bf4e3f71622e9aac 6364 requests_2.20.0-1.debian.tar.xz
a083efccf33a611663c11bfb7d44bc9373f80f42 66772 python-requests_2.20.0-1_all.deb
accfacd31d3cd15936503d7f6d475df56b7f0adc 66588
python3-requests_2.20.0-1_all.deb
a1a88313fef5ee2db619eedeab640793ff3ce9e1 7271 requests_2.20.0-1_amd64.buildinfo
Checksums-Sha256:
b37efeb50acb7ae8ca01cb40682262f6aec56a3b6859674f5e51fe479243789a 2381
requests_2.20.0-1.dsc
99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c 111179
requests_2.20.0.orig.tar.gz
fc7ea6fc6915d17717534b9604cae7d197dbd6fd567ea453adc47fe85560536f 6364
requests_2.20.0-1.debian.tar.xz
5dcb779e298379b1d3eddb2fc49e39c3d2a9cdea4bc9e983806a45c99896142a 66772
python-requests_2.20.0-1_all.deb
d02071aada0e9eedd651bca5bc51c65218fe4a17faf1425065f4fbfa0591b1b6 66588
python3-requests_2.20.0-1_all.deb
df1f4032079820e30edc40551bb874795b698275b362384d242db1ae445ac6fe 7271
requests_2.20.0-1_amd64.buildinfo
Files:
9745abc55ae6257eb43d5e1785513541 2381 python optional requests_2.20.0-1.dsc
cf034ab571854453719594120366f467 111179 python optional
requests_2.20.0.orig.tar.gz
5b7f8c234fb9bdec06a059fca3a0779a 6364 python optional
requests_2.20.0-1.debian.tar.xz
7b1391ede41e98ebd762c9ea80f2e82d 66772 python optional
python-requests_2.20.0-1_all.deb
1d9d7364ad6103047b29f3567b293651 66588 python optional
python3-requests_2.20.0-1_all.deb
8b439663194d181b2e0f20e6e4be23cf 7271 python optional
requests_2.20.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExlrvn+W/jMvW7bAZi69SLA1szt0FAlvRJWAACgkQi69SLA1s
zt3exBAAm3O9eINqGSsqoRJ3R3t8V1aAGCWgJ0Yua0g5gGYKQ740cHHGmA4OJ3rI
W7iWYFUeL3R7l/cNsjw1OuYLZi9DlNZbOwHF4fthtZFhuqzoGOP+Fxte+xRZdtXs
S9fJ/Gt0WEt+72/SHGGiwmjL0Q3HBksCr0W8fJWiPAB4U2VcbQLJ40UVsN0+9syA
5LwrCMtSpLHcgTUYa3p4nzRQrsF1zKXC9vvDDEvboz3iIaJxajZVQaBQCYOpUObp
KcRVEnp18dvKwCQNmh5sQO85/VGe6qwiNBmlwcZ3pPyR0Rdglq5jlUI5fnzKKdl7
lh/fBrQlyAwH9nC26k/3H4/pW5qS+j0rehY33xcyExGWt7OhxnMdSAA//AUDAMaX
dJgodXfW3HmFfcPaRFYAOqpPZjy2H7yMOe6dr87mGJSEapZh4bAeV7aMPGF199CP
uKgaN5mKat5V8M81GY1WXI208Ku8SOectz81HMuR2JTjATu/pWpUvzG6Xvwr7rnO
61CLU+L7xsEl7Zl/xAcsAA9GnLGTm+UeXoFEfF70TFEi5yo1lcCuxykZkH5YXonW
fMzDHw3HalhAVz1mZOq22gGC2fBRaMqN12FBxltPxiSve54wVDRaCQcjujFPad7n
pfRtoRLDrG7f5Ad3Z5LsgXUu0+FuLB1HlTV2k63heQDcqp06INY=
=GGrs
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
