Security update for python-requests
| Announcement ID: | SUSE-SU-2016:0114-1 |
| Rating: | moderate |
| References: | #922448 #929736 #961596 |
| Affected Products: |
An update that solves one vulnerability and has two fixes is now available.
Description:
The python-requests module has been updated to version 2.8.1, which brings
several fixes and enhancements:
- Fix handling of cookies on redirect. Previously a cookie without a host
value set would use the hostname for the redirected URL exposing
requests users to session fixation attacks and potentially cookie
stealing. (bsc#922448, CVE-2015-2296)
- Add support for per-host proxies. This allows the proxies dictionary to
have entries
of the form {'
will be used in preference to the previously-supported scheme-specific
ones, but the previous syntax will continue to work.
- Update certificate bundle to match "certifi" 2015.9.6.2's weak
certificate bundle.
- Response.raise_for_status now prints the URL that failed as part of the
exception message.
- requests.utils.get_netrc_auth now takes an raise_errors kwarg,
defaulting to False. When True, errors parsing .netrc files cause
exceptions to be thrown.
- Change to bundled projects import logic to make it easier to unbundle
requests downstream.
- Change the default User-Agent string to avoid leaking data on Linux: now
contains only the requests version.
- The json parameter to post() and friends will now only be used if
neither data nor files are present, consistent with the documentation.
- Empty fields in the NO_PROXY environment variable are now ignored.
- Fix problem where httplib.BadStatusLine would get raised if combining
stream=True with contextlib.closing.
- Prevent bugs where we would attempt to return the same connection back
to the connection pool twice when sending a Chunked body.
- Digest Auth support is now thread safe.
- Resolved several bugs involving chunked transfer encoding and response
framing.
- Copy a PreparedRequest's CookieJar more reliably.
- Support bytearrays when passed as parameters in the "files" argument.
- Avoid data duplication when creating a request with "str", "bytes", or
"bytearray" input to the "files" argument.
- "Connection: keep-alive" header is now sent automatically.
- Support for connect timeouts. Timeout now accepts a tuple (connect,
read) which is used to set individual connect and read timeouts.
For a comprehensive list of changes please refer to the package's change
log or the Release Notes at
http://docs.python-requests.org/en/latest/community/updates/#id3
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud Compute 5:
zypper in -t patch SUSE-SLE12-CLOUD-5-2016-80=1 - SUSE Linux Enterprise Server 12-SP1:
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-80=1 - SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2016-80=1 - SUSE Linux Enterprise Module for Public Cloud 12:
zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-80=1 - SUSE Linux Enterprise High Availability 12:
zypper in -t patch SUSE-SLE-HA-12-2016-80=1 - SUSE Linux Enterprise Desktop 12-SP1:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-80=1 - SUSE Enterprise Storage 2:
zypper in -t patch SUSE-Storage-2-2016-80=1 - SUSE Enterprise Storage 1.0:
zypper in -t patch SUSE-Storage-1.0-2016-80=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE OpenStack Cloud Compute 5 (noarch):
- python-requests-2.8.1-6.9.1
- SUSE Linux Enterprise Server 12-SP1 (noarch):
- python-requests-2.8.1-6.9.1
- SUSE Linux Enterprise Server 12 (noarch):
- python-requests-2.8.1-6.9.1
- SUSE Linux Enterprise Module for Public Cloud 12 (noarch):
- python-requests-2.8.1-6.9.1
- SUSE Linux Enterprise High Availability 12 (noarch):
- python-requests-2.8.1-6.9.1
- SUSE Linux Enterprise Desktop 12-SP1 (noarch):
- python-requests-2.8.1-6.9.1
- SUSE Enterprise Storage 2 (noarch):
- python-requests-2.8.1-6.9.1
- SUSE Enterprise Storage 1.0 (noarch):
- python-requests-2.8.1-6.9.1