[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#768967: marked as done (unblock: python-requests-kerberos/0.5-2)

Your message dated Mon, 10 Nov 2014 17:29:54 +0100
with message-id <5460E802.9060906@thykier.net>
and subject line Re: Bug#768967: unblock: python-requests-kerberos/0.5-2
has caused the Debian Bug report #768967,
regarding unblock: python-requests-kerberos/0.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
768967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768967
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

My last upload of python-requests-kerberos fixed CVE-2014-8650:
failure to handle mutual authentication (Closes: #768408)
reported by the security team (debdiff including upstream patch
is attached).

Please unblock python-requests-kerberos/0.5-2

Cheers,

Thomas Goirand (zigo)

diff -Nru python-requests-kerberos-0.5/debian/changelog python-requests-kerberos-0.5/debian/changelog
--- python-requests-kerberos-0.5/debian/changelog	2014-06-27 06:37:32.000000000 +0000
+++ python-requests-kerberos-0.5/debian/changelog	2014-11-10 13:25:13.000000000 +0000
@@ -1,3 +1,11 @@
+python-requests-kerberos (0.5-2) unstable; urgency=high
+
+  * CVE-2014-8650: failure to handle mutual authentication. Applied upstream
+    patch: CVE-2014-8650_Handle_mutual_authentication.patch (Closes: #768408).
+    Thanks to Salvatore Bonaccorso <carnil@debian.org> for reporting it.
+
+ -- Thomas Goirand <zigo@debian.org>  Mon, 10 Nov 2014 21:22:51 +0800
+
 python-requests-kerberos (0.5-1) unstable; urgency=medium
 
   * Initial release. (Closes: #752858)
diff -Nru python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch
--- python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-requests-kerberos-0.5/debian/patches/CVE-2014-8650_Handle_mutual_authentication.patch	2014-11-10 13:25:13.000000000 +0000
@@ -0,0 +1,39 @@
+Description: CVE-2014-8650: Handle mutual authentication
+ Make certain that responses always pass through handle_other() to provide
+ mutual authentication before returning them to the user.
+Origin: upstream, https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6.patch
+Author: Michael Komitee <komitee@deshaw.com>
+Date: Fri, 8 Aug 2014 17:47:42 -0400
+Bug-Debian: https://bugs.debian.org/768408
+Index: python-requests-kerberos/requests_kerberos/kerberos_.py
+===================================================================
+--- python-requests-kerberos.orig/requests_kerberos/kerberos_.py	2014-06-12 09:10:24.000000000 +0800
++++ python-requests-kerberos/requests_kerberos/kerberos_.py	2014-11-10 21:24:56.000000000 +0800
+@@ -251,7 +251,7 @@
+         if response.status_code == 401:
+             _r = self.handle_401(response, **kwargs)
+             log.debug("handle_response(): returning {0}".format(_r))
+-            return _r
++            return self.handle_response(_r, **kwargs)
+         else:
+             _r = self.handle_other(response)
+             log.debug("handle_response(): returning {0}".format(_r))
+Index: python-requests-kerberos/test_requests_kerberos.py
+===================================================================
+--- python-requests-kerberos.orig/test_requests_kerberos.py	2014-11-10 21:24:56.000000000 +0800
++++ python-requests-kerberos/test_requests_kerberos.py	2014-11-10 21:24:56.000000000 +0800
+@@ -403,10 +403,14 @@
+             response.connection = connection
+             response._content = ""
+             response.raw = raw
++
+             auth = requests_kerberos.HTTPKerberosAuth()
++            auth.handle_other = Mock(return_value=response_ok)
++
+             r = auth.handle_response(response)
+ 
+             self.assertTrue(response in r.history)
++            auth.handle_other.assert_called_with(response_ok)
+             self.assertEqual(r, response_ok)
+             self.assertEqual(request.headers['Authorization'], 'Negotiate GSSRESPONSE')
+             connection.send.assert_called_with(request)
diff -Nru python-requests-kerberos-0.5/debian/patches/series python-requests-kerberos-0.5/debian/patches/series
--- python-requests-kerberos-0.5/debian/patches/series	2014-06-27 06:37:32.000000000 +0000
+++ python-requests-kerberos-0.5/debian/patches/series	2014-11-10 13:25:13.000000000 +0000
@@ -1,2 +1,3 @@
 disable-broken-test-in-python3.patch
 fix-setup.py-to-work-with-python3.patch
+CVE-2014-8650_Handle_mutual_authentication.patch

--- End Message ---
--- Begin Message --- 
On 2014-11-10 14:31, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> My last upload of python-requests-kerberos fixed CVE-2014-8650:
> failure to handle mutual authentication (Closes: #768408)
> reported by the security team (debdiff including upstream patch
> is attached).
> 
> Please unblock python-requests-kerberos/0.5-2
> 
> Cheers,
> 
> Thomas Goirand (zigo)
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: