[Python-modules-team] Bug#910766: requests: CVE-2018-18074
Salvatore Bonaccorso
carnil at debian.org
Wed Oct 10 21:50:47 BST 2018
Source: requests
Version: 2.18.4-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/requests/requests/issues/4716
Hi,
The following vulnerability was published for requests.
CVE-2018-18074[0]:
| The Requests package through 2.19.1 before 2018-09-14 for Python sends
| an HTTP Authorization header to an http URI upon receiving a
| same-hostname https-to-http redirect, which makes it easier for remote
| attackers to discover credentials by sniffing the network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-18074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074
[1] https://github.com/requests/requests/issues/4716
[2] https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
[3] https://github.com/requests/requests/pull/4718
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Python-modules-team
mailing list