Re: SECURITY UPDATE: www/py-requests 2.20.0
On Wed, 31 Oct 2018 18:19:11 -0500, Edward Lopez-Acosta wrote: > Changelog: > - Fixed in 2.20.0 - CVE 2018-18074 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074 > > The Requests package before 2.20.0 for Python sends an HTTP > Authorization header to an http URI upon receiving a same-hostname > https-to-http redirect, which makes it easier for remote attackers to > discover credentials by sniffing the network. > > Diff attached. Builds fine on amd64 and only thing that requires it > is upt-pypi (limited to py3 variant). > > Ok to merge? The update looks good. The PLIST diff doesn't seem to be needed on my side (and is removed if I regen the plist). I'd like to commit it really soon. 2.20.0. was tagged two weeks ago so I guess it should be fine as there's no .1 :) Any objection? (or ok) I'd like to add it to quirks as well. I'm not clever enough for the cve stuff and I don't have any flavour example, is this diff correct? Index: Makefile === RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.634 diff -u -p -r1.634 Makefile --- Makefile31 Oct 2018 23:01:55 - 1.634 +++ Makefile1 Nov 2018 00:23:47 - @@ -5,7 +5,7 @@ CATEGORIES =devel databases DISTFILES = # API.rev -PKGNAME = quirks-3.27 +PKGNAME = quirks-3.28 PKG_ARCH = * MAINTAINER = Marc Espie Index: files/Quirks.pm === RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.648 diff -u -p -r1.648 Quirks.pm --- files/Quirks.pm 31 Oct 2018 23:01:55 - 1.648 +++ files/Quirks.pm 1 Nov 2018 00:23:47 - @@ -1212,6 +1212,8 @@ my $cve = { 'www/iridium' => 'iridium-<2018.5.67', 'www/mozilla-firefox' => 'firefox-<62.0.2p0', 'www/p5-CGI-Application' => 'p5-CGI-Application-<4.50p0', + 'www/py-requests' => 'py-requests-<2.20.0', + 'www/py-requests,python3' => 'py3-requests-<2.20.0', 'www/webkitgtk4' => 'webkitgtk4-<2.20.5', 'x11/gnome/gdm' => 'gdm-<3.28.3', };
SECURITY UPDATE: www/py-requests 2.20.0
Changelog: - Fixed in 2.20.0 - CVE 2018-18074 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074 The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. Diff attached. Builds fine on amd64 and only thing that requires it is upt-pypi (limited to py3 variant). Ok to merge? -- Edward Lopez-Acosta diff --git a/www/py-requests/Makefile b/www/py-requests/Makefile index 99a31c7d4c0..95a1d504667 100644 --- a/www/py-requests/Makefile +++ b/www/py-requests/Makefile @@ -2,13 +2,9 @@ COMMENT= elegant and simple HTTP library for Python -MODPY_EGG_VERSION= 2.18.4 +MODPY_EGG_VERSION= 2.20.0 DISTNAME= requests-${MODPY_EGG_VERSION} PKGNAME= py-${DISTNAME} -REVISION= 0 - -# XXX remove during next update -DISTFILES = ${DISTNAME}_1{${DISTNAME}}${EXTRACT_SUFX} CATEGORIES= www diff --git a/www/py-requests/distinfo b/www/py-requests/distinfo index 6a3a0f542b2..dfbc7c0549f 100644 --- a/www/py-requests/distinfo +++ b/www/py-requests/distinfo @@ -1,2 +1,2 @@ -SHA256 (requests-2.18.4_1.tar.gz) = nEQ+cyS6W4UHDEqBit4ov6vt8W6hAgbaETLtqm3aI34= -SIZE (requests-2.18.4_1.tar.gz) = 126224 +SHA256 (requests-2.20.0.tar.gz) = mdz9qusXyvblJvMrant4BGFRKrPx2ZIYeAFpTLpCdww= +SIZE (requests-2.20.0.tar.gz) = 79 diff --git a/www/py-requests/pkg/PLIST b/www/py-requests/pkg/PLIST index bf0d0e12636..feac233b56f 100644 --- a/www/py-requests/pkg/PLIST +++ b/www/py-requests/pkg/PLIST @@ -1,4 +1,6 @@ @comment $OpenBSD: PLIST,v 1.12 2018/01/21 23:20:10 jung Exp $ +lib/python${MODPY_VERSION}/ +lib/python${MODPY_VERSION}/site-packages/ lib/python${MODPY_VERSION}/site-packages/requests/ lib/python${MODPY_VERSION}/site-packages/requests-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info/ lib/python${MODPY_VERSION}/site-packages/requests-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info/PKG-INFO