SECURITY UPDATE: www/py-requests 2.20.0

Edward Lopez-Acosta Wed, 31 Oct 2018 16:20:01 -0700

Changelog:
- Fixed in 2.20.0 - CVE 2018-18074

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074

The Requests package before 2.20.0 for Python sends an HTTPAuthorization header to an http URI upon receiving a same-hostnamehttps-to-http redirect, which makes it easier for remote attackers todiscover credentials by sniffing the network.

Diff attached. Builds fine on amd64 and only thing that requires it isupt-pypi (limited to py3 variant).


Ok to merge?
--
Edward Lopez-Acosta

diff --git a/www/py-requests/Makefile b/www/py-requests/Makefile
index 99a31c7d4c0..95a1d504667 100644
--- a/www/py-requests/Makefile
+++ b/www/py-requests/Makefile
@@ -2,13 +2,9 @@
 
 COMMENT=		elegant and simple HTTP library for Python
 
-MODPY_EGG_VERSION=	2.18.4
+MODPY_EGG_VERSION=	2.20.0
 DISTNAME=		requests-${MODPY_EGG_VERSION}
 PKGNAME=		py-${DISTNAME}
-REVISION=		0
-
-# XXX remove during next update
-DISTFILES =		${DISTNAME}_1{${DISTNAME}}${EXTRACT_SUFX}
 
 CATEGORIES=		www
 
diff --git a/www/py-requests/distinfo b/www/py-requests/distinfo
index 6a3a0f542b2..dfbc7c0549f 100644
--- a/www/py-requests/distinfo
+++ b/www/py-requests/distinfo
@@ -1,2 +1,2 @@
-SHA256 (requests-2.18.4_1.tar.gz) = nEQ+cyS6W4UHDEqBit4ov6vt8W6hAgbaETLtqm3aI34=
-SIZE (requests-2.18.4_1.tar.gz) = 126224
+SHA256 (requests-2.20.0.tar.gz) = mdz9qusXyvblJvMrant4BGFRKrPx2ZIYeAFpTLpCdww=
+SIZE (requests-2.20.0.tar.gz) = 111179
diff --git a/www/py-requests/pkg/PLIST b/www/py-requests/pkg/PLIST
index bf0d0e12636..feac233b56f 100644
--- a/www/py-requests/pkg/PLIST
+++ b/www/py-requests/pkg/PLIST
@@ -1,4 +1,6 @@
 @comment $OpenBSD: PLIST,v 1.12 2018/01/21 23:20:10 jung Exp $
+lib/python${MODPY_VERSION}/
+lib/python${MODPY_VERSION}/site-packages/
 lib/python${MODPY_VERSION}/site-packages/requests/
 lib/python${MODPY_VERSION}/site-packages/requests-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info/
 lib/python${MODPY_VERSION}/site-packages/requests-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info/PKG-INFO

SECURITY UPDATE: www/py-requests 2.20.0

Reply via email to