Your message dated Thu, 19 Mar 2015 18:45:56 +0100
with message-id <550b0b54.5070...@thykier.net>
and subject line Re: Bug#780808: unblock: requests/2.4.3-6
has caused the Debian Bug report #780808,
regarding unblock: requests/2.4.3-6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780808
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package requests.
Version 2.4.3-6 fixes RC security bug #780506 (CVE-2015-2296).
I already asked a pre-appoval unblock (sorry for the wrong way to do
it):
https://lists.debian.org/debian-release/2015/03/msg00544.html
The debdiff is:
❯ debdiff requests_2.4.3-4.dsc requests_2.4.3-6.dsc
diff -Nru requests-2.4.3/debian/changelog requests-2.4.3/debian/changelog
--- requests-2.4.3/debian/changelog 2014-11-14 09:33:09.000000000 +0100
+++ requests-2.4.3/debian/changelog 2015-03-16 23:48:00.000000000 +0100
@@ -1,3 +1,21 @@
+requests (2.4.3-6) unstable; urgency=medium
+
+ * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
+ - Fix session fixation and cookie stealing: CVE-2015-2296.
+ (Closes: #780506)
+
+ -- Daniele Tricoli <er...@mornie.org> Mon, 16 Mar 2015 01:31:10 +0100
+
+requests (2.4.3-5) unstable; urgency=medium
+
+ * Team upload.
+ * d/control: Remove the Build-Depends on python{,3}-pytest since we
+ aren't actually running the tests at build time. (Closes: #770173)
+ * d/rules: Update the comment about why the tests are currently disabled
+ at build time to point to the updated upstream url.
+
+ -- Barry Warsaw <ba...@debian.org> Wed, 19 Nov 2014 18:00:46 -0500
+
requests (2.4.3-4) unstable; urgency=medium
* debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch
diff -Nru requests-2.4.3/debian/control requests-2.4.3/debian/control
--- requests-2.4.3/debian/control 2014-10-21 10:23:21.000000000 +0200
+++ requests-2.4.3/debian/control 2014-11-19 23:59:48.000000000 +0100
@@ -8,12 +8,10 @@
dh-python,
python-all (>= 2.6.6-3),
python-chardet,
- python-pytest,
python-setuptools,
python-urllib3 (>= 1.9.1),
python3-all,
python3-chardet,
- python3-pytest,
python3-setuptools,
python3-urllib3 (>= 1.7.1),
python3-wheel
diff -Nru
requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
---
requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
1970-01-01 01:00:00.000000000 +0100
+++
requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
2015-03-16 22:01:53.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Session fixation and cookie stealing.
+ See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete
+ description.
+Origin:
https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
+Bug-Debian: https://bugs.debian.org/780506
+
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -168,7 +168,7 @@
+ except KeyError:
+ pass
+
+- extract_cookies_to_jar(prepared_request._cookies,
prepared_request, resp.raw)
++ extract_cookies_to_jar(prepared_request._cookies, req, resp.raw)
+ prepared_request._cookies.update(self.cookies)
+ prepared_request.prepare_cookies(prepared_request._cookies)
+
diff -Nru requests-2.4.3/debian/patches/series
requests-2.4.3/debian/patches/series
--- requests-2.4.3/debian/patches/series 2014-11-11 17:28:54.000000000
+0100
+++ requests-2.4.3/debian/patches/series 2015-03-16 22:01:53.000000000
+0100
@@ -2,3 +2,4 @@
02_use-system-chardet-and-urllib3.patch
03_export-IncompleteRead.patch
04_make-requests.packages.urllib3-same-as-urllib3.patch
+05_do-not-ascribe-cookies-to-the-target-domain.patch
diff -Nru requests-2.4.3/debian/rules requests-2.4.3/debian/rules
--- requests-2.4.3/debian/rules 2014-09-07 15:51:39.000000000 +0200
+++ requests-2.4.3/debian/rules 2014-11-19 23:59:48.000000000 +0100
@@ -9,9 +9,9 @@
# can't enable it. Once this issue is fixed, it will be easy to
# re-enable.
#
-# https://github.com/kennethreitz/requests/issues/1166
+# https://github.com/kennethreitz/requests/issues/2184
#
-# ba...@debian.org 2014-06-04
+# ba...@debian.org 2014-11-19
#override_dh_auto_test:
# PYBUILD_SYSTEM=custom \
# PYBUILD_TEST_ARGS="{interpreter} test_requests.py" \
unblock requests/2.4.3-6
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On 2015-03-19 18:24, Daniele Tricoli wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
>
> Please unblock package requests.
>
> Version 2.4.3-6 fixes RC security bug #780506 (CVE-2015-2296).
>
> I already asked a pre-appoval unblock (sorry for the wrong way to do
> it):
> https://lists.debian.org/debian-release/2015/03/msg00544.html
>
> The debdiff is:
> ❯ debdiff requests_2.4.3-4.dsc requests_2.4.3-6.dsc
> [...]
>
>
> unblock requests/2.4.3-6
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---
