Univention Bugzilla – Bug 56155
requests: Multiple issues (5.0)
Last modified: 2023-06-21 12:11:42 CEST
New Debian requests 2.21.0-1+deb10u1 fixes: This update addresses the following issue: 2.21.0-1+deb10u1 (Sun, 18 Jun 2023 00:29:17 +0200) * Non-maintainer upload by the LTS team. * Fix CVE-2023-32681: Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information.
--- mirror/ftp/pool/main/r/requests/requests_2.21.0-1.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/requests_2.21.0-1+deb10u1.dsc @@ -1,3 +1,17 @@ +2.21.0-1+deb10u1 [Sun, 18 Jun 2023 00:29:17 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2023-32681: + Requests has been leaking Proxy-Authorization headers to destination + servers when redirected to an HTTPS endpoint. For HTTP connections sent + through the tunnel, the proxy will identify the header in the request + itself and remove it prior to forwarding to the destination server. However + when sent over HTTPS, the `Proxy-Authorization` header must be sent in the + CONNECT request as the proxy has no visibility into the tunneled request. + This results in Requests forwarding proxy credentials to the destination + server unintentionally, allowing a malicious actor to potentially + exfiltrate sensitive information. + 2.21.0-1 [Tue, 12 Feb 2019 01:28:14 +0100] Daniele Tricoli <eriol@debian.org>: * New upstream release. <http://piuparts.knut.univention.de/5.0-3/#7998657811104060085>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] 6b46aae90a Bug #56155: requests 2.21.0-1+deb10u1 doc/errata/staging/requests.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) [5.0-3] d49d9b1136 Bug #56155: requests 2.21.0-1+deb10u1 doc/errata/staging/requests.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x713>