Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package requests. Version 2.4.3-6 fixes RC security bug #780506 (CVE-2015-2296). I already asked a pre-appoval unblock (sorry for the wrong way to do it): https://lists.debian.org/debian-release/2015/03/msg00544.html The debdiff is: ❯ debdiff requests_2.4.3-4.dsc requests_2.4.3-6.dsc diff -Nru requests-2.4.3/debian/changelog requests-2.4.3/debian/changelog --- requests-2.4.3/debian/changelog 2014-11-14 09:33:09.000000000 +0100 +++ requests-2.4.3/debian/changelog 2015-03-16 23:48:00.000000000 +0100 @@ -1,3 +1,21 @@ +requests (2.4.3-6) unstable; urgency=medium + + * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch + - Fix session fixation and cookie stealing: CVE-2015-2296. + (Closes: #780506) + + -- Daniele Tricoli <er...@mornie.org> Mon, 16 Mar 2015 01:31:10 +0100 + +requests (2.4.3-5) unstable; urgency=medium + + * Team upload. + * d/control: Remove the Build-Depends on python{,3}-pytest since we + aren't actually running the tests at build time. (Closes: #770173) + * d/rules: Update the comment about why the tests are currently disabled + at build time to point to the updated upstream url. + + -- Barry Warsaw <ba...@debian.org> Wed, 19 Nov 2014 18:00:46 -0500 + requests (2.4.3-4) unstable; urgency=medium * debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch diff -Nru requests-2.4.3/debian/control requests-2.4.3/debian/control --- requests-2.4.3/debian/control 2014-10-21 10:23:21.000000000 +0200 +++ requests-2.4.3/debian/control 2014-11-19 23:59:48.000000000 +0100 @@ -8,12 +8,10 @@ dh-python, python-all (>= 2.6.6-3), python-chardet, - python-pytest, python-setuptools, python-urllib3 (>= 1.9.1), python3-all, python3-chardet, - python3-pytest, python3-setuptools, python3-urllib3 (>= 1.7.1), python3-wheel diff -Nru requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch --- requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch 1970-01-01 01:00:00.000000000 +0100 +++ requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch 2015-03-16 22:01:53.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Session fixation and cookie stealing. + See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete + description. +Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc +Bug-Debian: https://bugs.debian.org/780506 + +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -168,7 +168,7 @@ + except KeyError: + pass + +- extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) ++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) + prepared_request._cookies.update(self.cookies) + prepared_request.prepare_cookies(prepared_request._cookies) + diff -Nru requests-2.4.3/debian/patches/series requests-2.4.3/debian/patches/series --- requests-2.4.3/debian/patches/series 2014-11-11 17:28:54.000000000 +0100 +++ requests-2.4.3/debian/patches/series 2015-03-16 22:01:53.000000000 +0100 @@ -2,3 +2,4 @@ 02_use-system-chardet-and-urllib3.patch 03_export-IncompleteRead.patch 04_make-requests.packages.urllib3-same-as-urllib3.patch +05_do-not-ascribe-cookies-to-the-target-domain.patch diff -Nru requests-2.4.3/debian/rules requests-2.4.3/debian/rules --- requests-2.4.3/debian/rules 2014-09-07 15:51:39.000000000 +0200 +++ requests-2.4.3/debian/rules 2014-11-19 23:59:48.000000000 +0100 @@ -9,9 +9,9 @@ # can't enable it. Once this issue is fixed, it will be easy to # re-enable. # -# https://github.com/kennethreitz/requests/issues/1166 +# https://github.com/kennethreitz/requests/issues/2184 # -# ba...@debian.org 2014-06-04 +# ba...@debian.org 2014-11-19 #override_dh_auto_test: # PYBUILD_SYSTEM=custom \ # PYBUILD_TEST_ARGS="{interpreter} test_requests.py" \ unblock requests/2.4.3-6 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
