http://www.mandriva.com/en/
______________________________
Package : python-requests
Date : March 29, 2015
Affected: Business Server 2.0
______________________________
Problem Description:
Updated python-requests packages fix security vulnerabilities:
Python-requests was found to have a vulnerability, where the attacker
can retrieve the passwords from ~/.netrc file through redirect
requests, if the user has their passwords stored in the ~/.netrc file
(CVE-2014-1829).
It was discovered that the python-requests Proxy-Authorization header
was never re-evaluated when a redirect occurs. The Proxy-Authorization
header was sent to any new proxy or non-proxy destination as redirected
(CVE-2014-1830).
In python-requests before 2.6.0, a cookie without a host value set
would use the hostname for the redirected URL exposing requests
users to session fixation attacks and potentially cookie stealing
(CVE-2015-2296).
______________________________
References:
http://cve.mitre.org/cgi-bin/
http://cve.mitre.org/cgi-bin/
http://cve.mitre.org/cgi-bin/
http://advisories.mageia.org/
http://advisories.mageia.org/
______________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
bdc01b89f7847864db186b65cd1d46
003bc0e04b5ebf77bcf00cf004d259
18db7d8b658c588b49979966fce657
______________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Komentarų nėra:
Rašyti komentarą