Re: CVE Request for requests-kerberos

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://github.com/requests/requests-kerberos/pull/36
> https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6
> https://pypi.python.org/pypi/requests-kerberos

> A fix was merged and released today for the package which performs
> kerberos authentication when using python-requests. Prior to this,
> every version of the package did not properly handle mutual
> authentication which means that the client did not verify that the
> user was communicating with a trusted server. The version which
> contains the fix is 0.6 and all prior versions are considered
> vulnerable.

> This bug, however, prevented the mutual authentication code from being
> executed, so it's possible that users think they're talking to a
> trusted server, but they're not.

> requests_kerberos/kerberos_.py

> Make certain that responses always pass through handle_other() to provide mutual
> authentication before returning them to the user.

> 0.6: 2014-11-04
> Handle mutual authentication (see pull request 36)

Use CVE-2014-8650.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUXBeLAAoJEKllVAevmvmssi4IAIuPRLXq+cRuy9kVNZMey5hd
GVJKAZA4ZBqPHa147iuEpHLiNQx/aKTCTWoXZBeqnFdZKZFi/Uq5BLws4nWKDhfj
JW5VCfUR6nf0uiglbmQwFX9eswGlLo/73V8NWReymrv9ENc709BNcSVErw76qElh
p6zBrdRsGqIG1MfeKF8xt0Gn63e55k/qE4t4TeGybeQyLxtGfF+Potyxx9RYtlIr
MrrXJIIQKry8DcRTHWfuEx1nJ65dOXJETnEBiAQTaQJ9y3NPEylbL6g83ykRGENl
QWYZNI/hZ6ZVg8Wub6h2YHp52UqLz7I/rwJN47N3uNebElbgLqNwz1BOHS+WKdc=
=5P3v
-----END PGP SIGNATURE-----