Bug#768967: unblock: python-requests-kerberos/0.5-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
My last upload of python-requests-kerberos fixed CVE-2014-8650:
failure to handle mutual authentication (Closes: #768408)
reported by the security team (debdiff including upstream patch
is attached).
Please unblock python-requests-kerberos/0.5-2
Cheers,
Thomas Goirand (zigo)
diff -Nru python-requests-kerberos-0.5/debian/changelog python-requests-kerberos-0.5/debian/changelog
--- python-requests-kerberos-0.5/debian/changelog 2014-06-27 06:37:32.000000000 +0000
+++ python-requests-kerberos-0.5/debian/changelog 2014-11-10 13:25:13.000000000 +0000
@@ -1,3 +1,11 @@
+python-requests-kerberos (0.5-2) unstable; urgency=high
+
+ * CVE-2014-8650: failure to handle mutual authentication. Applied upstream
+ patch: CVE-2014-8650_Handle_mutual_authentication.patch (Closes: #768408).
+ Thanks to Salvatore Bonaccorso <carnil@debian.org> for reporting it.
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 10 Nov 2014 21:22:51 +0800
+
python-requests-kerberos (0.5-1) unstable; urgency=medium
* Initial release. (Closes: #752858)
diff -Nru python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch
--- python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch 2014-11-10 13:25:13.000000000 +0000
@@ -0,0 +1,39 @@
+Description: CVE-2014-8650: Handle mutual authentication
+ Make certain that responses always pass through handle_other() to provide
+ mutual authentication before returning them to the user.
+Origin: upstream, https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6.patch
+Author: Michael Komitee <komitee@deshaw.com>
+Date: Fri, 8 Aug 2014 17:47:42 -0400
+Bug-Debian: https://bugs.debian.org/768408
+Index: python-requests-kerberos/requests_kerberos/kerberos_.py
+===================================================================
+--- python-requests-kerberos.orig/requests_kerberos/kerberos_.py 2014-06-12 09:10:24.000000000 +0800
++++ python-requests-kerberos/requests_kerberos/kerberos_.py 2014-11-10 21:24:56.000000000 +0800
+@@ -251,7 +251,7 @@
+ if response.status_code == 401:
+ _r = self.handle_401(response, **kwargs)
+ log.debug("handle_response(): returning {0}".format(_r))
+- return _r
++ return self.handle_response(_r, **kwargs)
+ else:
+ _r = self.handle_other(response)
+ log.debug("handle_response(): returning {0}".format(_r))
+Index: python-requests-kerberos/test_requests_kerberos.py
+===================================================================
+--- python-requests-kerberos.orig/test_requests_kerberos.py 2014-11-10 21:24:56.000000000 +0800
++++ python-requests-kerberos/test_requests_kerberos.py 2014-11-10 21:24:56.000000000 +0800
+@@ -403,10 +403,14 @@
+ response.connection = connection
+ response._content = ""
+ response.raw = raw
++
+ auth = requests_kerberos.HTTPKerberosAuth()
++ auth.handle_other = Mock(return_value=response_ok)
++
+ r = auth.handle_response(response)
+
+ self.assertTrue(response in r.history)
++ auth.handle_other.assert_called_with(response_ok)
+ self.assertEqual(r, response_ok)
+ self.assertEqual(request.headers['Authorization'], 'Negotiate GSSRESPONSE')
+ connection.send.assert_called_with(request)
diff -Nru python-requests-kerberos-0.5/debian/patches/series python-requests-kerberos-0.5/debian/patches/series
--- python-requests-kerberos-0.5/debian/patches/series 2014-06-27 06:37:32.000000000 +0000
+++ python-requests-kerberos-0.5/debian/patches/series 2014-11-10 13:25:13.000000000 +0000
@@ -1,2 +1,3 @@
disable-broken-test-in-python3.patch
fix-setup.py-to-work-with-python3.patch
+CVE-2014-8650_Handle_mutual_authentication.patch
Reply to: