diff -Nru requests-2.2.1/debian/changelog requests-2.2.1/debian/changelog --- requests-2.2.1/debian/changelog 2015-03-17 23:40:54.000000000 +0000 +++ requests-2.2.1/debian/changelog 2018-10-10 16:27:25.000000000 +0000 @@ -1,3 +1,11 @@ +requests (2.2.1-1ubuntu0.4) trusty-security; urgency=medium + + * SECURITY UPDATE: Creadentials through HTTP Authorization header + - debian/patches/CVE-2018-18074.patch: fix in requests/sessions.py. + - CVE-2018-18074 + + -- Leonidas S. Barbosa Wed, 10 Oct 2018 13:24:54 -0300 + requests (2.2.1-1ubuntu0.3) trusty-proposed; urgency=medium * SRU, update python3.4 for trusty. LP: #1433324. diff -Nru requests-2.2.1/debian/patches/CVE-2018-18074.patch requests-2.2.1/debian/patches/CVE-2018-18074.patch --- requests-2.2.1/debian/patches/CVE-2018-18074.patch 1970-01-01 00:00:00.000000000 +0000 +++ requests-2.2.1/debian/patches/CVE-2018-18074.patch 2018-10-10 16:24:30.000000000 +0000 @@ -0,0 +1,65 @@ +Backported of: + +From 3331e2aecdbf575dd60abef4df79c52d78610a83 Mon Sep 17 00:00:00 2001 +From: Bruce Merry +Date: Thu, 28 Jun 2018 16:38:42 +0200 +Subject: [PATCH 1/2] Strip Authorization header whenever root URL changes + +Previously the header was stripped only if the hostname changed, but in +an https -> http redirect that can leak the credentials on the wire +(#4716). Based on with RFC 7235 section 2.2, the header is now stripped +if the "canonical root URL" (scheme+authority) has changed, by checking +scheme, hostname and port. + + +From 857e9b7ac20c3accf4cc328f594aecb8b6a644a6 Mon Sep 17 00:00:00 2001 +From: Bruce Merry +Date: Tue, 14 Aug 2018 13:30:43 +0200 +Subject: [PATCH 2/2] Rework authorization stripping logic as discussed + +The exception for http->https upgrade now requires the standard HTTP(S) +ports to be used, either implicitly (no port specified) or explicitly. +diff --git a/requests/sessions.py b/requests/sessions.py +index 6c08be8..96f7330 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -87,6 +87,22 @@ def merge_hooks(request_hooks, session_hooks, dict_class=OrderedDict): + + + class SessionRedirectMixin(object): ++ def should_strip_auth(self, old_url, new_url): ++ """Decide whether Authorization header should be removed when redirecting""" ++ old_parsed = urlparse(old_url) ++ new_parsed = urlparse(new_url) ++ if old_parsed.hostname != new_parsed.hostname: ++ return True ++ # Special case: allow http -> https redirect when using the standard ++ # ports. This isn't specified by RFC 7235, but is kept to avoid ++ # breaking backwards compatibility with older versions of requests ++ # that allowed any redirects on the same host. ++ if (old_parsed.scheme == 'http' and old_parsed.port in (80, None) ++ and new_parsed.scheme == 'https' and new_parsed.port in (443, None)): ++ return False ++ # Standard case: root URI must match ++ return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme ++ + def resolve_redirects(self, resp, req, stream=False, timeout=None, + verify=True, cert=None, proxies=None): + """Receives a Response. Returns a generator of Responses.""" +@@ -192,14 +208,10 @@ class SessionRedirectMixin(object): + headers = prepared_request.headers + url = prepared_request.url + +- if 'Authorization' in headers: ++ if 'Authorization' in headers and self.should_strip_auth(response.request.url, url): + # If we get redirected to a new host, we should strip out any + # authentication headers. +- original_parsed = urlparse(response.request.url) +- redirect_parsed = urlparse(url) +- +- if (original_parsed.hostname != redirect_parsed.hostname): +- del headers['Authorization'] ++ del headers['Authorization'] + + # .netrc might have more auth for us on our new host. + new_auth = get_netrc_auth(url) if self.trust_env else None diff -Nru requests-2.2.1/debian/patches/series requests-2.2.1/debian/patches/series --- requests-2.2.1/debian/patches/series 2015-03-17 23:46:15.000000000 +0000 +++ requests-2.2.1/debian/patches/series 2018-10-10 16:24:30.000000000 +0000 @@ -4,3 +4,4 @@ CVE-2014-1830.patch CVE-2015-2296.patch use-setuptools-for-wheel-only.diff +CVE-2018-18074.patch