aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch17
-rw-r--r--debian/patches/series1
3 files changed, 26 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index edd52f2..24993e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+requests (2.4.3-6) unstable; urgency=medium
+
+ * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
+ - Fix session fixation and cookie stealing: CVE-2015-2296.
+ (Closes: #780506)
+
+ -- Daniele Tricoli <eriol@mornie.org> Mon, 16 Mar 2015 01:31:10 +0100
+
requests (2.4.3-5) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch b/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
new file mode 100644
index 0000000..3dd3bba
--- /dev/null
+++ b/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
@@ -0,0 +1,17 @@
+Description: Session fixation and cookie stealing.
+ See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete
+ description.
+Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
+Bug-Debian: https://bugs.debian.org/780506
+
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -168,7 +168,7 @@
+ except KeyError:
+ pass
+
+- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw)
++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw)
+ prepared_request._cookies.update(self.cookies)
+ prepared_request.prepare_cookies(prepared_request._cookies)
+
diff --git a/debian/patches/series b/debian/patches/series
index 38fffac..bcd27f4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
02_use-system-chardet-and-urllib3.patch
03_export-IncompleteRead.patch
04_make-requests.packages.urllib3-same-as-urllib3.patch
+05_do-not-ascribe-cookies-to-the-target-domain.patch