Re: SECURITY UPDATE: www/py-requests 2.20.0
On Wed, 31 Oct 2018 18:19:11 -0500, Edward Lopez-Acosta
wrote:
> Changelog:
> - Fixed in 2.20.0 - CVE 2018-18074
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074
>
> The Requests package before 2.20.0 for Python sends an HTTP
> Authorization header to an http URI upon receiving a same-hostname
> https-to-http redirect, which makes it easier for remote attackers to
> discover credentials by sniffing the network.
>
> Diff attached. Builds fine on amd64 and only thing that requires it
> is upt-pypi (limited to py3 variant).
>
> Ok to merge?
The update looks good. The PLIST diff doesn't seem to be needed on my
side (and is removed if I regen the plist). I'd like to commit it
really soon. 2.20.0. was tagged two weeks ago so I guess it should be
fine as there's no .1 :)
Any objection? (or ok)
I'd like to add it to quirks as well. I'm not clever enough for the cve
stuff and I don't have any flavour example, is this diff correct?
Index: Makefile
===
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.634
diff -u -p -r1.634 Makefile
--- Makefile31 Oct 2018 23:01:55 - 1.634
+++ Makefile1 Nov 2018 00:23:47 -
@@ -5,7 +5,7 @@ CATEGORIES =devel databases
DISTFILES =
# API.rev
-PKGNAME = quirks-3.27
+PKGNAME = quirks-3.28
PKG_ARCH = *
MAINTAINER = Marc Espie
Index: files/Quirks.pm
===
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.648
diff -u -p -r1.648 Quirks.pm
--- files/Quirks.pm 31 Oct 2018 23:01:55 - 1.648
+++ files/Quirks.pm 1 Nov 2018 00:23:47 -
@@ -1212,6 +1212,8 @@ my $cve = {
'www/iridium' => 'iridium-<2018.5.67',
'www/mozilla-firefox' => 'firefox-<62.0.2p0',
'www/p5-CGI-Application' => 'p5-CGI-Application-<4.50p0',
+ 'www/py-requests' => 'py-requests-<2.20.0',
+ 'www/py-requests,python3' => 'py3-requests-<2.20.0',
'www/webkitgtk4' => 'webkitgtk4-<2.20.5',
'x11/gnome/gdm' => 'gdm-<3.28.3',
};
SECURITY UPDATE: www/py-requests 2.20.0
Changelog:
- Fixed in 2.20.0 - CVE 2018-18074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074
The Requests package before 2.20.0 for Python sends an HTTP
Authorization header to an http URI upon receiving a same-hostname
https-to-http redirect, which makes it easier for remote attackers to
discover credentials by sniffing the network.
Diff attached. Builds fine on amd64 and only thing that requires it is
upt-pypi (limited to py3 variant).
Ok to merge?
--
Edward Lopez-Acosta
diff --git a/www/py-requests/Makefile b/www/py-requests/Makefile
index 99a31c7d4c0..95a1d504667 100644
--- a/www/py-requests/Makefile
+++ b/www/py-requests/Makefile
@@ -2,13 +2,9 @@
COMMENT= elegant and simple HTTP library for Python
-MODPY_EGG_VERSION= 2.18.4
+MODPY_EGG_VERSION= 2.20.0
DISTNAME= requests-${MODPY_EGG_VERSION}
PKGNAME= py-${DISTNAME}
-REVISION= 0
-
-# XXX remove during next update
-DISTFILES = ${DISTNAME}_1{${DISTNAME}}${EXTRACT_SUFX}
CATEGORIES= www
diff --git a/www/py-requests/distinfo b/www/py-requests/distinfo
index 6a3a0f542b2..dfbc7c0549f 100644
--- a/www/py-requests/distinfo
+++ b/www/py-requests/distinfo
@@ -1,2 +1,2 @@
-SHA256 (requests-2.18.4_1.tar.gz) = nEQ+cyS6W4UHDEqBit4ov6vt8W6hAgbaETLtqm3aI34=
-SIZE (requests-2.18.4_1.tar.gz) = 126224
+SHA256 (requests-2.20.0.tar.gz) = mdz9qusXyvblJvMrant4BGFRKrPx2ZIYeAFpTLpCdww=
+SIZE (requests-2.20.0.tar.gz) = 79
diff --git a/www/py-requests/pkg/PLIST b/www/py-requests/pkg/PLIST
index bf0d0e12636..feac233b56f 100644
--- a/www/py-requests/pkg/PLIST
+++ b/www/py-requests/pkg/PLIST
@@ -1,4 +1,6 @@
@comment $OpenBSD: PLIST,v 1.12 2018/01/21 23:20:10 jung Exp $
+lib/python${MODPY_VERSION}/
+lib/python${MODPY_VERSION}/site-packages/
lib/python${MODPY_VERSION}/site-packages/requests/
lib/python${MODPY_VERSION}/site-packages/requests-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info/
lib/python${MODPY_VERSION}/site-packages/requests-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info/PKG-INFO
