From 8af60f07fee0bd4abd9ee269e767cdc55c15f2b6 Mon Sep 17 00:00:00 2001 From: Daniele Tricoli Date: Sat, 22 Nov 2014 18:57:06 +0000 Subject: * debian/patches/05_do-not-make-SSLv3-mandatory.patch - Since SSL version 3 is insecure it is supported only if Python supports it. (Closes: #770172) --- debian/changelog | 8 +++++++ .../patches/05_do-not-make-SSLv3-mandatory.patch | 25 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 34 insertions(+) create mode 100644 debian/patches/05_do-not-make-SSLv3-mandatory.patch diff --git a/debian/changelog b/debian/changelog index edd52f2..10a3a62 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +requests (2.4.3-6) UNRELEASED; urgency=medium + + * debian/patches/05_do-not-make-SSLv3-mandatory.patch + - Since SSL version 3 is insecure it is supported only if Python + supports it. (Closes: #770172) + + -- Daniele Tricoli Sat, 22 Nov 2014 19:44:01 +0100 + requests (2.4.3-5) unstable; urgency=medium * Team upload. diff --git a/debian/patches/05_do-not-make-SSLv3-mandatory.patch b/debian/patches/05_do-not-make-SSLv3-mandatory.patch new file mode 100644 index 0000000..dbeef77 --- /dev/null +++ b/debian/patches/05_do-not-make-SSLv3-mandatory.patch @@ -0,0 +1,25 @@ +Description: Since SSL version 3 is insecure it is supported only if Python + supports it. In Debian SSL version 3 is disabled in system Python since + 2.7.8-12. +Author: Daniele Tricoli +Forwarded: https://github.com/shazow/urllib3/issues/487#issuecomment-63805742 +Last/Update: 2014-11-20 + +--- a/requests/packages/urllib3/contrib/pyopenssl.py ++++ b/requests/packages/urllib3/contrib/pyopenssl.py +@@ -70,9 +70,14 @@ + # Map from urllib3 to PyOpenSSL compatible parameter-values. + _openssl_versions = { + ssl.PROTOCOL_SSLv23: OpenSSL.SSL.SSLv23_METHOD, +- ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD, + ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD, + } ++ ++try: ++ _openssl_versions.update({ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD}) ++except AttributeError: ++ pass ++ + _openssl_verify = { + ssl.CERT_NONE: OpenSSL.SSL.VERIFY_NONE, + ssl.CERT_OPTIONAL: OpenSSL.SSL.VERIFY_PEER, diff --git a/debian/patches/series b/debian/patches/series index 38fffac..c373be5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 02_use-system-chardet-and-urllib3.patch 03_export-IncompleteRead.patch 04_make-requests.packages.urllib3-same-as-urllib3.patch +05_do-not-make-SSLv3-mandatory.patch -- cgit v1.2.3 From 140fa9de439ee29a87f5670b7620906c3fa65326 Mon Sep 17 00:00:00 2001 From: Daniele Tricoli Date: Mon, 16 Mar 2015 01:01:45 +0000 Subject: Fix session fixation and cookie stealing: CVE-2015-2296. (Closes: #780506) --- debian/changelog | 5 ++++- ...06_do-not-ascribe-cookies-to-the-target-domain.patch | 17 +++++++++++++++++ debian/patches/series | 1 + 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch diff --git a/debian/changelog b/debian/changelog index 10a3a62..2501b1c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,8 +3,11 @@ requests (2.4.3-6) UNRELEASED; urgency=medium * debian/patches/05_do-not-make-SSLv3-mandatory.patch - Since SSL version 3 is insecure it is supported only if Python supports it. (Closes: #770172) + * debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch + - Fix session fixation and cookie stealing: CVE-2015-2296. + (Closes: #780506) - -- Daniele Tricoli Sat, 22 Nov 2014 19:44:01 +0100 + -- Daniele Tricoli Mon, 16 Mar 2015 01:31:10 +0100 requests (2.4.3-5) unstable; urgency=medium diff --git a/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch b/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch new file mode 100644 index 0000000..3dd3bba --- /dev/null +++ b/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch @@ -0,0 +1,17 @@ +Description: Session fixation and cookie stealing. + See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete + description. +Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc +Bug-Debian: https://bugs.debian.org/780506 + +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -168,7 +168,7 @@ + except KeyError: + pass + +- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) ++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) + prepared_request._cookies.update(self.cookies) + prepared_request.prepare_cookies(prepared_request._cookies) + diff --git a/debian/patches/series b/debian/patches/series index c373be5..af44331 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 03_export-IncompleteRead.patch 04_make-requests.packages.urllib3-same-as-urllib3.patch 05_do-not-make-SSLv3-mandatory.patch +06_do-not-ascribe-cookies-to-the-target-domain.patch -- cgit v1.2.3 From bfdec437376b65cc03626f27bf850b47d65c24d9 Mon Sep 17 00:00:00 2001 From: Daniele Tricoli Date: Mon, 16 Mar 2015 02:53:20 +0000 Subject: Revert my fix for #770172 since it is not an RC bug while I need to fix #780506 --- ...-not-ascribe-cookies-to-the-target-domain.patch | 17 +++++++++++++++ .../patches/05_do-not-make-SSLv3-mandatory.patch | 25 ---------------------- ...-not-ascribe-cookies-to-the-target-domain.patch | 17 --------------- debian/patches/series | 3 +-- 4 files changed, 18 insertions(+), 44 deletions(-) create mode 100644 debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch delete mode 100644 debian/patches/05_do-not-make-SSLv3-mandatory.patch delete mode 100644 debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch diff --git a/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch b/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch new file mode 100644 index 0000000..3dd3bba --- /dev/null +++ b/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch @@ -0,0 +1,17 @@ +Description: Session fixation and cookie stealing. + See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete + description. +Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc +Bug-Debian: https://bugs.debian.org/780506 + +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -168,7 +168,7 @@ + except KeyError: + pass + +- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) ++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) + prepared_request._cookies.update(self.cookies) + prepared_request.prepare_cookies(prepared_request._cookies) + diff --git a/debian/patches/05_do-not-make-SSLv3-mandatory.patch b/debian/patches/05_do-not-make-SSLv3-mandatory.patch deleted file mode 100644 index dbeef77..0000000 --- a/debian/patches/05_do-not-make-SSLv3-mandatory.patch +++ /dev/null @@ -1,25 +0,0 @@ -Description: Since SSL version 3 is insecure it is supported only if Python - supports it. In Debian SSL version 3 is disabled in system Python since - 2.7.8-12. -Author: Daniele Tricoli -Forwarded: https://github.com/shazow/urllib3/issues/487#issuecomment-63805742 -Last/Update: 2014-11-20 - ---- a/requests/packages/urllib3/contrib/pyopenssl.py -+++ b/requests/packages/urllib3/contrib/pyopenssl.py -@@ -70,9 +70,14 @@ - # Map from urllib3 to PyOpenSSL compatible parameter-values. - _openssl_versions = { - ssl.PROTOCOL_SSLv23: OpenSSL.SSL.SSLv23_METHOD, -- ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD, - ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD, - } -+ -+try: -+ _openssl_versions.update({ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD}) -+except AttributeError: -+ pass -+ - _openssl_verify = { - ssl.CERT_NONE: OpenSSL.SSL.VERIFY_NONE, - ssl.CERT_OPTIONAL: OpenSSL.SSL.VERIFY_PEER, diff --git a/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch b/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch deleted file mode 100644 index 3dd3bba..0000000 --- a/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch +++ /dev/null @@ -1,17 +0,0 @@ -Description: Session fixation and cookie stealing. - See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete - description. -Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc -Bug-Debian: https://bugs.debian.org/780506 - ---- a/requests/sessions.py -+++ b/requests/sessions.py -@@ -168,7 +168,7 @@ - except KeyError: - pass - -- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) -+ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) - prepared_request._cookies.update(self.cookies) - prepared_request.prepare_cookies(prepared_request._cookies) - diff --git a/debian/patches/series b/debian/patches/series index af44331..bcd27f4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,5 +2,4 @@ 02_use-system-chardet-and-urllib3.patch 03_export-IncompleteRead.patch 04_make-requests.packages.urllib3-same-as-urllib3.patch -05_do-not-make-SSLv3-mandatory.patch -06_do-not-ascribe-cookies-to-the-target-domain.patch +05_do-not-ascribe-cookies-to-the-target-domain.patch -- cgit v1.2.3 From acbc4218023286f83a0854cfed99cb3c5a12fb15 Mon Sep 17 00:00:00 2001 From: Daniele Tricoli Date: Mon, 16 Mar 2015 22:41:25 +0000 Subject: Not mention patch for #770172 since it was removed --- debian/changelog | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2501b1c..6e50b85 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,6 @@ requests (2.4.3-6) UNRELEASED; urgency=medium - * debian/patches/05_do-not-make-SSLv3-mandatory.patch - - Since SSL version 3 is insecure it is supported only if Python - supports it. (Closes: #770172) - * debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch + * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch - Fix session fixation and cookie stealing: CVE-2015-2296. (Closes: #780506) -- cgit v1.2.3 From 84c8199b600a805603600cbeb0a3119bc717e972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20O=C5=BCarowski?= Date: Mon, 16 Mar 2015 22:53:26 +0000 Subject: s/UNRELEASED/unstable/ --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 6e50b85..24993e6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -requests (2.4.3-6) UNRELEASED; urgency=medium +requests (2.4.3-6) unstable; urgency=medium * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch - Fix session fixation and cookie stealing: CVE-2015-2296. -- cgit v1.2.3