Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Hi, My last upload of python-requests-kerberos fixed CVE-2014-8650: failure to handle mutual authentication (Closes: #768408) reported by the security team (debdiff including upstream patch is attached). Please unblock python-requests-kerberos/0.5-2 Cheers, Thomas Goirand (zigo)
diff -Nru python-requests-kerberos-0.5/debian/changelog python-requests-kerberos-0.5/debian/changelog --- python-requests-kerberos-0.5/debian/changelog 2014-06-27 06:37:32.000000000 +0000 +++ python-requests-kerberos-0.5/debian/changelog 2014-11-10 13:25:13.000000000 +0000 @@ -1,3 +1,11 @@ +python-requests-kerberos (0.5-2) unstable; urgency=high + + * CVE-2014-8650: failure to handle mutual authentication. Applied upstream + patch: CVE-2014-8650_Handle_mutual_authentication.patch (Closes: #768408). + Thanks to Salvatore Bonaccorso <[email protected]> for reporting it. + + -- Thomas Goirand <[email protected]> Mon, 10 Nov 2014 21:22:51 +0800 + python-requests-kerberos (0.5-1) unstable; urgency=medium * Initial release. (Closes: #752858) diff -Nru python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch --- python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch 2014-11-10 13:25:13.000000000 +0000 @@ -0,0 +1,39 @@ +Description: CVE-2014-8650: Handle mutual authentication + Make certain that responses always pass through handle_other() to provide + mutual authentication before returning them to the user. +Origin: upstream, https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6.patch +Author: Michael Komitee <[email protected]> +Date: Fri, 8 Aug 2014 17:47:42 -0400 +Bug-Debian: https://bugs.debian.org/768408 +Index: python-requests-kerberos/requests_kerberos/kerberos_.py +=================================================================== +--- python-requests-kerberos.orig/requests_kerberos/kerberos_.py 2014-06-12 09:10:24.000000000 +0800 ++++ python-requests-kerberos/requests_kerberos/kerberos_.py 2014-11-10 21:24:56.000000000 +0800 +@@ -251,7 +251,7 @@ + if response.status_code == 401: + _r = self.handle_401(response, **kwargs) + log.debug("handle_response(): returning {0}".format(_r)) +- return _r ++ return self.handle_response(_r, **kwargs) + else: + _r = self.handle_other(response) + log.debug("handle_response(): returning {0}".format(_r)) +Index: python-requests-kerberos/test_requests_kerberos.py +=================================================================== +--- python-requests-kerberos.orig/test_requests_kerberos.py 2014-11-10 21:24:56.000000000 +0800 ++++ python-requests-kerberos/test_requests_kerberos.py 2014-11-10 21:24:56.000000000 +0800 +@@ -403,10 +403,14 @@ + response.connection = connection + response._content = "" + response.raw = raw ++ + auth = requests_kerberos.HTTPKerberosAuth() ++ auth.handle_other = Mock(return_value=response_ok) ++ + r = auth.handle_response(response) + + self.assertTrue(response in r.history) ++ auth.handle_other.assert_called_with(response_ok) + self.assertEqual(r, response_ok) + self.assertEqual(request.headers['Authorization'], 'Negotiate GSSRESPONSE') + connection.send.assert_called_with(request) diff -Nru python-requests-kerberos-0.5/debian/patches/series python-requests-kerberos-0.5/debian/patches/series --- python-requests-kerberos-0.5/debian/patches/series 2014-06-27 06:37:32.000000000 +0000 +++ python-requests-kerberos-0.5/debian/patches/series 2014-11-10 13:25:13.000000000 +0000 @@ -1,2 +1,3 @@ disable-broken-test-in-python3.patch fix-setup.py-to-work-with-python3.patch +CVE-2014-8650_Handle_mutual_authentication.patch
