Mandriva Linux Security Advisory : python-requests (MDVSA-2015:133)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Updated python-requests packages fix security vulnerabilities :

Python-requests was found to have a vulnerability, where the attacker
can retrieve the passwords from ~/.netrc file through redirect
requests, if the user has their passwords stored in the ~/.netrc file
(CVE-2014-1829).

It was discovered that the python-requests Proxy-Authorization header
was never re-evaluated when a redirect occurs. The Proxy-Authorization
header was sent to any new proxy or non-proxy destination as
redirected (CVE-2014-1830).

In python-requests before 2.6.0, a cookie without a host value set
would use the hostname for the redirected URL exposing requests users
to session fixation attacks and potentially cookie stealing
(CVE-2015-2296).

See also :

http://advisories.mageia.org/MGASA-2014-0409.html
http://advisories.mageia.org/MGASA-2015-0120.html

Solution :

Update the affected python-requests and / or python3-requests
packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 82386 ()

Bugtraq ID:

CVE ID: CVE-2014-1829
CVE-2014-1830
CVE-2015-2296

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now