[Python-modules-commits] r32014 - in packages/requests/trunk/debian (3 files)

[eriol-guest at users.alioth.debian.org]

    Date: Monday, March 16, 2015 @ 01:01:45
  Author: eriol-guest
Revision: 32014

Fix session fixation and cookie stealing: CVE-2015-2296. (Closes: #780506)

Added:
  packages/requests/trunk/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch
Modified:
  packages/requests/trunk/debian/changelog
  packages/requests/trunk/debian/patches/series

Modified: packages/requests/trunk/debian/changelog
===================================================================
--- packages/requests/trunk/debian/changelog	2015-03-14 13:01:09 UTC (rev 32013)
+++ packages/requests/trunk/debian/changelog	2015-03-16 01:01:45 UTC (rev 32014)
@@ -3,8 +3,11 @@
   * debian/patches/05_do-not-make-SSLv3-mandatory.patch
     - Since SSL version 3 is insecure it is supported only if Python
       supports it. (Closes: #770172)
+  * debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch
+    - Fix session fixation and cookie stealing: CVE-2015-2296.
+      (Closes: #780506)
 
- -- Daniele Tricoli <eriol at mornie.org>  Sat, 22 Nov 2014 19:44:01 +0100
+ -- Daniele Tricoli <eriol at mornie.org>  Mon, 16 Mar 2015 01:31:10 +0100
 
 requests (2.4.3-5) unstable; urgency=medium
 

Added: packages/requests/trunk/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch
===================================================================
--- packages/requests/trunk/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch	                        (rev 0)
+++ packages/requests/trunk/debian/patches/06_do-not-ascribe-cookies-to-the-target-domain.patch	2015-03-16 01:01:45 UTC (rev 32014)
@@ -0,0 +1,17 @@
+Description: Session fixation and cookie stealing.
+ See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete
+ description.
+Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
+Bug-Debian: https://bugs.debian.org/780506
+
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -168,7 +168,7 @@
+             except KeyError:
+                 pass
+ 
+-            extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw)
++            extract_cookies_to_jar(prepared_request._cookies, req, resp.raw)
+             prepared_request._cookies.update(self.cookies)
+             prepared_request.prepare_cookies(prepared_request._cookies)
+ 

Modified: packages/requests/trunk/debian/patches/series
===================================================================
--- packages/requests/trunk/debian/patches/series	2015-03-14 13:01:09 UTC (rev 32013)
+++ packages/requests/trunk/debian/patches/series	2015-03-16 01:01:45 UTC (rev 32014)
@@ -3,3 +3,4 @@
 03_export-IncompleteRead.patch
 04_make-requests.packages.urllib3-same-as-urllib3.patch
 05_do-not-make-SSLv3-mandatory.patch
+06_do-not-ascribe-cookies-to-the-target-domain.patch