Your message dated Mon, 10 Nov 2014 17:29:54 +0100
with message-id <[email protected]>
and subject line Re: Bug#768967: unblock: python-requests-kerberos/0.5-2
has caused the Debian Bug report #768967,
regarding unblock: python-requests-kerberos/0.5-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
768967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768967
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi,
My last upload of python-requests-kerberos fixed CVE-2014-8650:
failure to handle mutual authentication (Closes: #768408)
reported by the security team (debdiff including upstream patch
is attached).
Please unblock python-requests-kerberos/0.5-2
Cheers,
Thomas Goirand (zigo)
diff -Nru python-requests-kerberos-0.5/debian/changelog python-requests-kerberos-0.5/debian/changelog
--- python-requests-kerberos-0.5/debian/changelog 2014-06-27 06:37:32.000000000 +0000
+++ python-requests-kerberos-0.5/debian/changelog 2014-11-10 13:25:13.000000000 +0000
@@ -1,3 +1,11 @@
+python-requests-kerberos (0.5-2) unstable; urgency=high
+
+ * CVE-2014-8650: failure to handle mutual authentication. Applied upstream
+ patch: CVE-2014-8650_Handle_mutual_authentication.patch (Closes: #768408).
+ Thanks to Salvatore Bonaccorso <[email protected]> for reporting it.
+
+ -- Thomas Goirand <[email protected]> Mon, 10 Nov 2014 21:22:51 +0800
+
python-requests-kerberos (0.5-1) unstable; urgency=medium
* Initial release. (Closes: #752858)
diff -Nru python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch
--- python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch 2014-11-10 13:25:13.000000000 +0000
@@ -0,0 +1,39 @@
+Description: CVE-2014-8650: Handle mutual authentication
+ Make certain that responses always pass through handle_other() to provide
+ mutual authentication before returning them to the user.
+Origin: upstream, https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6.patch
+Author: Michael Komitee <[email protected]>
+Date: Fri, 8 Aug 2014 17:47:42 -0400
+Bug-Debian: https://bugs.debian.org/768408
+Index: python-requests-kerberos/requests_kerberos/kerberos_.py
+===================================================================
+--- python-requests-kerberos.orig/requests_kerberos/kerberos_.py 2014-06-12 09:10:24.000000000 +0800
++++ python-requests-kerberos/requests_kerberos/kerberos_.py 2014-11-10 21:24:56.000000000 +0800
+@@ -251,7 +251,7 @@
+ if response.status_code == 401:
+ _r = self.handle_401(response, **kwargs)
+ log.debug("handle_response(): returning {0}".format(_r))
+- return _r
++ return self.handle_response(_r, **kwargs)
+ else:
+ _r = self.handle_other(response)
+ log.debug("handle_response(): returning {0}".format(_r))
+Index: python-requests-kerberos/test_requests_kerberos.py
+===================================================================
+--- python-requests-kerberos.orig/test_requests_kerberos.py 2014-11-10 21:24:56.000000000 +0800
++++ python-requests-kerberos/test_requests_kerberos.py 2014-11-10 21:24:56.000000000 +0800
+@@ -403,10 +403,14 @@
+ response.connection = connection
+ response._content = ""
+ response.raw = raw
++
+ auth = requests_kerberos.HTTPKerberosAuth()
++ auth.handle_other = Mock(return_value=response_ok)
++
+ r = auth.handle_response(response)
+
+ self.assertTrue(response in r.history)
++ auth.handle_other.assert_called_with(response_ok)
+ self.assertEqual(r, response_ok)
+ self.assertEqual(request.headers['Authorization'], 'Negotiate GSSRESPONSE')
+ connection.send.assert_called_with(request)
diff -Nru python-requests-kerberos-0.5/debian/patches/series python-requests-kerberos-0.5/debian/patches/series
--- python-requests-kerberos-0.5/debian/patches/series 2014-06-27 06:37:32.000000000 +0000
+++ python-requests-kerberos-0.5/debian/patches/series 2014-11-10 13:25:13.000000000 +0000
@@ -1,2 +1,3 @@
disable-broken-test-in-python3.patch
fix-setup.py-to-work-with-python3.patch
+CVE-2014-8650_Handle_mutual_authentication.patch
--- End Message ---
--- Begin Message ---
On 2014-11-10 14:31, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Hi,
>
> My last upload of python-requests-kerberos fixed CVE-2014-8650:
> failure to handle mutual authentication (Closes: #768408)
> reported by the security team (debdiff including upstream patch
> is attached).
>
> Please unblock python-requests-kerberos/0.5-2
>
> Cheers,
>
> Thomas Goirand (zigo)
>
Unblocked, thanks.
~Niels
--- End Message ---
