diff options
| author | Daniele Tricoli <eriol@mornie.org> | 2015-03-16 01:01:45 +0000 |
|---|---|---|
| committer | Daniele Tricoli <eriol@mornie.org> | 2015-03-16 01:01:45 +0000 |
| commit | 140fa9de439ee29a87f5670b7620906c3fa65326 (patch) | |
| tree | 99a594210ff04703aeec22d89b3a89fc75d8e38a /debian | |
| parent | 8af60f07fee0bd4abd9ee269e767cdc55c15f2b6 (diff) | |
| download | python-requests-140fa9de439ee29a87f5670b7620906c3fa65326.tar python-requests-140fa9de439ee29a87f5670b7620906c3fa65326.tar.gz | |
Fix session fixation and cookie stealing: CVE-2015-2296. (Closes: #780506)
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch | 17 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 22 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 10a3a62..2501b1c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,8 +3,11 @@ requests (2.4.3-6) UNRELEASED; urgency=medium * debian/patches/05_do-not-make-SSLv3-mandatory.patch - Since SSL version 3 is insecure it is supported only if Python supports it. (Closes: #770172) + * debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch + - Fix session fixation and cookie stealing: CVE-2015-2296. + (Closes: #780506) - -- Daniele Tricoli <eriol@mornie.org> Sat, 22 Nov 2014 19:44:01 +0100 + -- Daniele Tricoli <eriol@mornie.org> Mon, 16 Mar 2015 01:31:10 +0100 requests (2.4.3-5) unstable; urgency=medium diff --git a/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch b/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch new file mode 100644 index 0000000..3dd3bba --- /dev/null +++ b/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch @@ -0,0 +1,17 @@ +Description: Session fixation and cookie stealing. + See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete + description. +Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc +Bug-Debian: https://bugs.debian.org/780506 + +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -168,7 +168,7 @@ + except KeyError: + pass + +- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) ++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) + prepared_request._cookies.update(self.cookies) + prepared_request.prepare_cookies(prepared_request._cookies) + diff --git a/debian/patches/series b/debian/patches/series index c373be5..af44331 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 03_export-IncompleteRead.patch 04_make-requests.packages.urllib3-same-as-urllib3.patch 05_do-not-make-SSLv3-mandatory.patch +06_do-not-ascribe-cookies-to-the-target-domain.patch |