On Wed, 31 Oct 2018 18:19:11 -0500, Edward Lopez-Acosta <elopezaco...@gmail.com> wrote:
> Changelog: > - Fixed in 2.20.0 - CVE 2018-18074 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18074 > > The Requests package before 2.20.0 for Python sends an HTTP > Authorization header to an http URI upon receiving a same-hostname > https-to-http redirect, which makes it easier for remote attackers to > discover credentials by sniffing the network. > > Diff attached. Builds fine on amd64 and only thing that requires it > is upt-pypi (limited to py3 variant). > > Ok to merge? The update looks good. The PLIST diff doesn't seem to be needed on my side (and is removed if I regen the plist). I'd like to commit it really soon. 2.20.0. was tagged two weeks ago so I guess it should be fine as there's no .1 :) Any objection? (or ok) I'd like to add it to quirks as well. I'm not clever enough for the cve stuff and I don't have any flavour example, is this diff correct? Index: Makefile =================================================================== RCS file: /cvs/ports/devel/quirks/Makefile,v retrieving revision 1.634 diff -u -p -r1.634 Makefile --- Makefile 31 Oct 2018 23:01:55 -0000 1.634 +++ Makefile 1 Nov 2018 00:23:47 -0000 @@ -5,7 +5,7 @@ CATEGORIES = devel databases DISTFILES = # API.rev -PKGNAME = quirks-3.27 +PKGNAME = quirks-3.28 PKG_ARCH = * MAINTAINER = Marc Espie <es...@openbsd.org> Index: files/Quirks.pm =================================================================== RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v retrieving revision 1.648 diff -u -p -r1.648 Quirks.pm --- files/Quirks.pm 31 Oct 2018 23:01:55 -0000 1.648 +++ files/Quirks.pm 1 Nov 2018 00:23:47 -0000 @@ -1212,6 +1212,8 @@ my $cve = { 'www/iridium' => 'iridium-<2018.5.67', 'www/mozilla-firefox' => 'firefox-<62.0.2p0', 'www/p5-CGI-Application' => 'p5-CGI-Application-<4.50p0', + 'www/py-requests' => 'py-requests-<2.20.0', + 'www/py-requests,python3' => 'py3-requests-<2.20.0', 'www/webkitgtk4' => 'webkitgtk4-<2.20.5', 'x11/gnome/gdm' => 'gdm-<3.28.3', };
