Please fix handling of cookies on redirect

Bug #1432555 reported by Dan Watkins on 2015-03-16
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
requests (Debian)
Fix Released
Unknown
requests (Ubuntu)
Undecided
Marc Deslauriers
Precise
Undecided
Unassigned
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers
Vivid
Undecided
Marc Deslauriers

Bug Description

Requests 2.6.0 includes a fix for CVE-2015-2296[0] which is present in all versions of python-requests in Ubuntu since trusty. For more information, see the CVE requests at [1].

I believe that the fix happens in the commit in [2].

[0] http://docs.python-requests.org/en/latest/community/updates/#id1
[1] http://www.openwall.com/lists/oss-security/2015/03/14/4
[2] https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc

Dan Watkins (daniel-thewatkins) wrote :

This is #780506 in Debian's BTS[0].

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780506

Dan Watkins (daniel-thewatkins) wrote :
information type: Private Security → Public Security
Dan Watkins (daniel-thewatkins) wrote :

vivid has the version of python-requests in Debian unstable, so it probably makes sense to wait for the fix to land there and then sync.

Dan Watkins (daniel-thewatkins) wrote :

https://gist.github.com/OddBloke/211ff98b63a8cfb3f6d4 will verify whether or not the fix has worked.

affects: python-requests (Ubuntu) → requests (Ubuntu)
Changed in requests (Ubuntu Precise):
status: New → Confirmed
Changed in requests (Ubuntu Trusty):
status: New → Confirmed
Changed in requests (Ubuntu Utopic):
status: New → Confirmed
Changed in requests (Ubuntu Vivid):
status: New → Confirmed
Changed in requests (Ubuntu Precise):
status: Confirmed → Invalid
Changed in requests (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in requests (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in requests (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)

The attachment "debdiff fixing CVE-2015-2296 in trusty" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package requests - 2.3.0-1ubuntu0.1

---------------
requests (2.3.0-1ubuntu0.1) utopic-security; urgency=medium

  * SECURITY UPDATE: Session fixation and cookie stealing issue
    (LP: #1432555).
    - debian/patches/CVE-2015-2296.patch: extract cookies from the original
      request (which still has the host which returned the cookies)
    - CVE-2015-2296
 -- Daniel Watkins <email address hidden> Mon, 16 Mar 2015 10:37:44 +0000

Changed in requests (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package requests - 2.2.1-1ubuntu0.2

---------------
requests (2.2.1-1ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Session fixation and cookie stealing issue
    (LP: #1432555).
    - debian/patches/CVE-2015-2296.patch: extract cookies from the original
      request (which still has the host which returned the cookies)
    - CVE-2015-2296
 -- Daniel Watkins <email address hidden> Mon, 16 Mar 2015 10:11:03 +0000

Changed in requests (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in requests (Debian):
status: Unknown → Fix Released
Changed in requests (Ubuntu Vivid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.