diff options
author | Daniele Tricoli <eriol@mornie.org> | 2015-03-16 01:31:10 +0100 |
---|---|---|
committer | Daniele Tricoli <eriol@mornie.org> | 2015-03-16 01:31:10 +0100 |
commit | 6509d16d9f1dc35e28ea4bf8fc9a9508287fd74d (patch) | |
tree | 63f03365126cb905303dca52ec9cedf08fb59a4d /debian | |
parent | 0dd40d0eca2d963b301aa727bcffc6790da706b8 (diff) | |
parent | 84c8199b600a805603600cbeb0a3119bc717e972 (diff) | |
download | python-requests-6509d16d9f1dc35e28ea4bf8fc9a9508287fd74d.tar python-requests-6509d16d9f1dc35e28ea4bf8fc9a9508287fd74d.tar.gz |
Imported Debian patch 2.4.3-6
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch | 17 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 26 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index edd52f2..24993e6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +requests (2.4.3-6) unstable; urgency=medium + + * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch + - Fix session fixation and cookie stealing: CVE-2015-2296. + (Closes: #780506) + + -- Daniele Tricoli <eriol@mornie.org> Mon, 16 Mar 2015 01:31:10 +0100 + requests (2.4.3-5) unstable; urgency=medium * Team upload. diff --git a/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch b/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch new file mode 100644 index 0000000..3dd3bba --- /dev/null +++ b/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch @@ -0,0 +1,17 @@ +Description: Session fixation and cookie stealing. + See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete + description. +Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc +Bug-Debian: https://bugs.debian.org/780506 + +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -168,7 +168,7 @@ + except KeyError: + pass + +- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) ++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) + prepared_request._cookies.update(self.cookies) + prepared_request.prepare_cookies(prepared_request._cookies) + diff --git a/debian/patches/series b/debian/patches/series index 38fffac..bcd27f4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 02_use-system-chardet-and-urllib3.patch 03_export-IncompleteRead.patch 04_make-requests.packages.urllib3-same-as-urllib3.patch +05_do-not-ascribe-cookies-to-the-target-domain.patch |