CVE-2015-2296

Advisory

ruffruffs 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

++++++++++++++++++

**Bugfixes**

- CVE-2015-2296: Fix handling of cookies on redirect. Previously a cookie
without a host value set would use the hostname for the redirected URL
exposing requests users to session fixation attacks and potentially cookie
stealing. This was disclosed privately by Matthew Daley of
`BugFuzz <https://bugfuzz.com>`_. This affects all versions of requests from
v2.1.0 to v2.5.3 (inclusive on both ends).

- Fix error when requests is an ``install_requires`` dependency and ``python
setup.py test`` is run. (2462)

- Fix error when urllib3 is unbundled and requests continues to use the
vendored import location.

- Include fixes to ``urllib3``'s header handling.

- Requests' handling of unvendored dependencies is now more restrictive.

**Features and Improvements**

- Support bytearrays when passed as parameters in the ``files`` argument.
(2468)

- Avoid data duplication when creating a request with ``str``, ``bytes``, or
``bytearray`` input to the ``files`` argument.

Resources

• https://pypi.org/project/ruffruffs
• https://pyup.io/changelogs/ruffruffs/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296
• http://www.openwall.com/lists/oss-security/2015/03/15/1
• http://www.ubuntu.com/usn/USN-2531-1
• http://www.openwall.com/lists/oss-security/2015/03/14/4
• https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
• https://warehouse.python.org/project/requests/2.6.0/
• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html
• http://advisories.mageia.org/MGASA-2015-0120.html
• http://www.mandriva.com/security/advisories?name=MDVSA-2015:133