Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu,  6 Nov 2014 19:53:30 -0500 (EST)
From: cve-assign@...re.org
To: graffatcolmingov@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request for requests-kerberos

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://github.com/requests/requests-kerberos/pull/36
> https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6
> https://pypi.python.org/pypi/requests-kerberos

> A fix was merged and released today for the package which performs
> kerberos authentication when using python-requests. Prior to this,
> every version of the package did not properly handle mutual
> authentication which means that the client did not verify that the
> user was communicating with a trusted server. The version which
> contains the fix is 0.6 and all prior versions are considered
> vulnerable.

> This bug, however, prevented the mutual authentication code from being
> executed, so it's possible that users think they're talking to a
> trusted server, but they're not.

> requests_kerberos/kerberos_.py

> Make certain that responses always pass through handle_other() to provide mutual
> authentication before returning them to the user.

> 0.6: 2014-11-04
> Handle mutual authentication (see pull request 36)

Use CVE-2014-8650.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUXBeLAAoJEKllVAevmvmssi4IAIuPRLXq+cRuy9kVNZMey5hd
GVJKAZA4ZBqPHa147iuEpHLiNQx/aKTCTWoXZBeqnFdZKZFi/Uq5BLws4nWKDhfj
JW5VCfUR6nf0uiglbmQwFX9eswGlLo/73V8NWReymrv9ENc709BNcSVErw76qElh
p6zBrdRsGqIG1MfeKF8xt0Gn63e55k/qE4t4TeGybeQyLxtGfF+Potyxx9RYtlIr
MrrXJIIQKry8DcRTHWfuEx1nJ65dOXJETnEBiAQTaQJ9y3NPEylbL6g83ykRGENl
QWYZNI/hZ6ZVg8Wub6h2YHp52UqLz7I/rwJN47N3uNebElbgLqNwz1BOHS+WKdc=
=5P3v
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.