Date: Thu, 6 Nov 2014 19:53:30 -0500 (EST) From: cve-assign@...re.org To: graffatcolmingov@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request for requests-kerberos -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://github.com/requests/requests-kerberos/pull/36 > https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6 > https://pypi.python.org/pypi/requests-kerberos > A fix was merged and released today for the package which performs > kerberos authentication when using python-requests. Prior to this, > every version of the package did not properly handle mutual > authentication which means that the client did not verify that the > user was communicating with a trusted server. The version which > contains the fix is 0.6 and all prior versions are considered > vulnerable. > This bug, however, prevented the mutual authentication code from being > executed, so it's possible that users think they're talking to a > trusted server, but they're not. > requests_kerberos/kerberos_.py > Make certain that responses always pass through handle_other() to provide mutual > authentication before returning them to the user. > 0.6: 2014-11-04 > Handle mutual authentication (see pull request 36) Use CVE-2014-8650. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUXBeLAAoJEKllVAevmvmssi4IAIuPRLXq+cRuy9kVNZMey5hd GVJKAZA4ZBqPHa147iuEpHLiNQx/aKTCTWoXZBeqnFdZKZFi/Uq5BLws4nWKDhfj JW5VCfUR6nf0uiglbmQwFX9eswGlLo/73V8NWReymrv9ENc709BNcSVErw76qElh p6zBrdRsGqIG1MfeKF8xt0Gn63e55k/qE4t4TeGybeQyLxtGfF+Potyxx9RYtlIr MrrXJIIQKry8DcRTHWfuEx1nJ65dOXJETnEBiAQTaQJ9y3NPEylbL6g83ykRGENl QWYZNI/hZ6ZVg8Wub6h2YHp52UqLz7I/rwJN47N3uNebElbgLqNwz1BOHS+WKdc= =5P3v -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ