SuSE Local Security Checks : SUSE: Security Advisory (SUSE-SU-2016:0114-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.4.2016.0114.1

Category: SuSE Local Security Checks

Title: SUSE: Security Advisory (SUSE-SU-2016:0114-1)

Summary: The remote host is missing an update for the 'python-requests' package(s) announced via the SUSE-SU-2016:0114-1 advisory.

Description: Summary:
The remote host is missing an update for the 'python-requests' package(s) announced via the SUSE-SU-2016:0114-1 advisory.

Vulnerability Insight:
The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements:

- Fix handling of cookies on redirect. Previously a cookie without a host value set
would use the hostname for the redirected URL exposing requests users to session
fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296)

- Add support for per-host proxies. This allows the proxies dictionary to have entries
of the form {'://': ''}. Host-specific
proxies will be used in preference to the previously-supported scheme-specific ones,
but the previous syntax will continue to work.
- Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle.
- Response.raise_for_status now prints the URL that failed as part of the exception message.
- requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False.
When True, errors parsing .netrc files cause exceptions to be thrown.
- Change to bundled projects import logic to make it easier to unbundle requests downstream.
- Change the default User-Agent string to avoid leaking data on Linux: now contains only
the requests version.
- The json parameter to post() and friends will now only be used if neither data nor files
are present, consistent with the documentation.
- Empty fields in the NO_PROXY environment variable are now ignored.
- Fix problem where httplib.BadStatusLine would get raised if combining stream=True with
contextlib.closing.
- Prevent bugs where we would attempt to return the same connection back to the connection
pool twice when sending a Chunked body.
- Digest Auth support is now thread safe.
- Resolved several bugs involving chunked transfer encoding and response framing.
- Copy a PreparedRequest's CookieJar more reliably.
- Support bytearrays when passed as parameters in the 'files' argument.
- Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray'
input to the 'files' argument.
- 'Connection: keep-alive' header is now sent automatically.
- Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is
used to set individual connect and read timeouts.

For a comprehensive list of changes please refer to the package's change log or the Release Notes at [link moved to references]

Affected Software/OS:
'python-requests' package(s) on SUSE Linux Enterprise Desktop 12-SP1, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 12-SP1, SUSE Linux Enterprise Server for SAP Applications 12, SUSE Linux Enterprise Server for SAP Applications 12-SP1.

Solution:
Please install the updated package(s).

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2015-2296
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
http://www.openwall.com/lists/oss-security/2015/03/14/4
http://www.openwall.com/lists/oss-security/2015/03/15/1
http://www.ubuntu.com/usn/USN-2531-1

Copyright Copyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.4.2016.0114.1
Category:	SuSE Local Security Checks
Title:	SUSE: Security Advisory (SUSE-SU-2016:0114-1)
Summary:	The remote host is missing an update for the 'python-requests' package(s) announced via the SUSE-SU-2016:0114-1 advisory.
Description:	Summary: The remote host is missing an update for the 'python-requests' package(s) announced via the SUSE-SU-2016:0114-1 advisory. Vulnerability Insight: The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements: - Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296) - Add support for per-host proxies. This allows the proxies dictionary to have entries of the form {'://': ''}. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the previous syntax will continue to work. - Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle. - Response.raise_for_status now prints the URL that failed as part of the exception message. - requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False. When True, errors parsing .netrc files cause exceptions to be thrown. - Change to bundled projects import logic to make it easier to unbundle requests downstream. - Change the default User-Agent string to avoid leaking data on Linux: now contains only the requests version. - The json parameter to post() and friends will now only be used if neither data nor files are present, consistent with the documentation. - Empty fields in the NO_PROXY environment variable are now ignored. - Fix problem where httplib.BadStatusLine would get raised if combining stream=True with contextlib.closing. - Prevent bugs where we would attempt to return the same connection back to the connection pool twice when sending a Chunked body. - Digest Auth support is now thread safe. - Resolved several bugs involving chunked transfer encoding and response framing. - Copy a PreparedRequest's CookieJar more reliably. - Support bytearrays when passed as parameters in the 'files' argument. - Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray' input to the 'files' argument. - 'Connection: keep-alive' header is now sent automatically. - Support for connect timeouts. Timeout now accepts a tuple (connect, read) which is used to set individual connect and read timeouts. For a comprehensive list of changes please refer to the package's change log or the Release Notes at [link moved to references] Affected Software/OS: 'python-requests' package(s) on SUSE Linux Enterprise Desktop 12-SP1, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 12-SP1, SUSE Linux Enterprise Server for SAP Applications 12, SUSE Linux Enterprise Server for SAP Applications 12-SP1. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-2296 http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:133 http://www.openwall.com/lists/oss-security/2015/03/14/4 http://www.openwall.com/lists/oss-security/2015/03/15/1 http://www.ubuntu.com/usn/USN-2531-1
Copyright	Copyright (C) 2021 Greenbone AG