Security update for python-requests

Announcement ID: SUSE-SU-2016:0114-1
Rating: moderate
References:
Cross-References:
CVSS scores:
Affected Products:
  • Public Cloud Module 12
  • SUSE Cloud for SLE 12 Compute Nodes 5
  • SUSE Enterprise Storage 1.0 1
  • SUSE Enterprise Storage 2
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise High Availability Extension 12
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves one vulnerability and has two security fixes can now be installed.

Description:

The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements:

  • Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296)

  • Add support for per-host proxies. This allows the proxies dictionary to have entries of the form {'<scheme>://<hostname>': '<proxy>'}. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the previous syntax will continue to work.

  • Update certificate bundle to match "certifi" 2015.9.6.2's weak certificate bundle.
  • Response.raise_for_status now prints the URL that failed as part of the exception message.
  • requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False. When True, errors parsing .netrc files cause exceptions to be thrown.
  • Change to bundled projects import logic to make it easier to unbundle requests downstream.
  • Change the default User-Agent string to avoid leaking data on Linux: now contains only the requests version.
  • The json parameter to post() and friends will now only be used if neither data nor files are present, consistent with the documentation.
  • Empty fields in the NO_PROXY environment variable are now ignored.
  • Fix problem where httplib.BadStatusLine would get raised if combining stream=True with contextlib.closing.
  • Prevent bugs where we would attempt to return the same connection back to the connection pool twice when sending a Chunked body.
  • Digest Auth support is now thread safe.
  • Resolved several bugs involving chunked transfer encoding and response framing.
  • Copy a PreparedRequest's CookieJar more reliably.
  • Support bytearrays when passed as parameters in the "files" argument.
  • Avoid data duplication when creating a request with "str", "bytes", or "bytearray" input to the "files" argument.
  • "Connection: keep-alive" header is now sent automatically.
  • Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is used to set individual connect and read timeouts.

For a comprehensive list of changes please refer to the package's change log or the Release Notes at http://docs.python-requests.org/en/latest/community/updates/#id3

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Cloud for SLE 12 Compute Nodes 5
    zypper in -t patch SUSE-SLE12-CLOUD-5-2016-80=1
  • SUSE Linux Enterprise Desktop 12 SP1
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-80=1
  • SUSE Linux Enterprise High Availability Extension 12
    zypper in -t patch SUSE-SLE-HA-12-2016-80=1
  • SUSE Linux Enterprise Server for SAP Applications 12
    zypper in -t patch SUSE-SLE-SERVER-12-2016-80=1 SUSE-SLE-HA-12-2016-80=1
  • Public Cloud Module 12
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-80=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-80=1
  • SUSE Linux Enterprise Server 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-80=1
  • SUSE Linux Enterprise Server 12
    zypper in -t patch SUSE-SLE-SERVER-12-2016-80=1
  • SUSE Enterprise Storage 1.0 1
    zypper in -t patch SUSE-Storage-1.0-2016-80=1
  • SUSE Enterprise Storage 2
    zypper in -t patch SUSE-Storage-2-2016-80=1

Package List:

  • SUSE Cloud for SLE 12 Compute Nodes 5 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Linux Enterprise Desktop 12 SP1 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Linux Enterprise High Availability Extension 12 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
    • python-requests-2.8.1-6.9.1
  • Public Cloud Module 12 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Linux Enterprise Server 12 SP1 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Linux Enterprise Server 12 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Enterprise Storage 1.0 1 (noarch)
    • python-requests-2.8.1-6.9.1
  • SUSE Enterprise Storage 2 (noarch)
    • python-requests-2.8.1-6.9.1

References: