oss-sec mailing list archives
Re: CVE Request for requests-kerberos
From: cve-assign () mitre org
Date: Thu, 6 Nov 2014 19:53:30 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://github.com/requests/requests-kerberos/pull/36 https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6 https://pypi.python.org/pypi/requests-kerberos
A fix was merged and released today for the package which performs kerberos authentication when using python-requests. Prior to this, every version of the package did not properly handle mutual authentication which means that the client did not verify that the user was communicating with a trusted server. The version which contains the fix is 0.6 and all prior versions are considered vulnerable.
This bug, however, prevented the mutual authentication code from being executed, so it's possible that users think they're talking to a trusted server, but they're not.
requests_kerberos/kerberos_.py
Make certain that responses always pass through handle_other() to provide mutual authentication before returning them to the user.
0.6: 2014-11-04 Handle mutual authentication (see pull request 36)
Use CVE-2014-8650. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUXBeLAAoJEKllVAevmvmssi4IAIuPRLXq+cRuy9kVNZMey5hd GVJKAZA4ZBqPHa147iuEpHLiNQx/aKTCTWoXZBeqnFdZKZFi/Uq5BLws4nWKDhfj JW5VCfUR6nf0uiglbmQwFX9eswGlLo/73V8NWReymrv9ENc709BNcSVErw76qElh p6zBrdRsGqIG1MfeKF8xt0Gn63e55k/qE4t4TeGybeQyLxtGfF+Potyxx9RYtlIr MrrXJIIQKry8DcRTHWfuEx1nJ65dOXJETnEBiAQTaQJ9y3NPEylbL6g83ykRGENl QWYZNI/hZ6ZVg8Wub6h2YHp52UqLz7I/rwJN47N3uNebElbgLqNwz1BOHS+WKdc= =5P3v -----END PGP SIGNATURE-----
Current thread:
- CVE Request for requests-kerberos Ian Cordasco (Nov 04)
- Re: CVE Request for requests-kerberos Kurt Seifried (Nov 04)
- Re: CVE Request for requests-kerberos Ian Cordasco (Nov 04)
- Re: CVE Request for requests-kerberos cve-assign (Nov 06)
- Re: CVE Request for requests-kerberos Kurt Seifried (Nov 04)