SUSE-SU-2016:0114-1: moderate: Security update for python-requests

Wed Jan 13 16:11:06 MST 2016

   SUSE Security Update: Security update for python-requests
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:0114-1
Rating:             moderate
References:         #922448 #929736 #961596 
Cross-References:   CVE-2015-2296
Affected Products:
                    SUSE OpenStack Cloud Compute 5
                    SUSE Linux Enterprise Server 12-SP1
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Module for Public Cloud 12
                    SUSE Linux Enterprise High Availability 12
                    SUSE Linux Enterprise Desktop 12-SP1
                    SUSE Enterprise Storage 2
                    SUSE Enterprise Storage 1.0
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   The python-requests module has been updated to version 2.8.1, which brings
   several fixes and enhancements:

   - Fix handling of cookies on redirect. Previously a cookie without a host
     value set would use the hostname for the redirected URL exposing
     requests users to session fixation attacks and potentially cookie
     stealing. (bsc#922448, CVE-2015-2296)

   - Add support for per-host proxies. This allows the proxies dictionary to
     have entries
     of the form {'<scheme>://<hostname>': '<proxy>'}. Host-specific proxies
      will be used in preference to the previously-supported scheme-specific
      ones, but the previous syntax will continue to work.
   - Update certificate bundle to match "certifi" 2015.9.6.2's weak
     certificate bundle.
   - Response.raise_for_status now prints the URL that failed as part of the
     exception message.
   - requests.utils.get_netrc_auth now takes an raise_errors kwarg,
     defaulting to False. When True, errors parsing .netrc files cause
     exceptions to be thrown.
   - Change to bundled projects import logic to make it easier to unbundle
     requests downstream.
   - Change the default User-Agent string to avoid leaking data on Linux: now
     contains only the requests version.
   - The json parameter to post() and friends will now only be used if
     neither data nor files are present, consistent with the documentation.
   - Empty fields in the NO_PROXY environment variable are now ignored.
   - Fix problem where httplib.BadStatusLine would get raised if combining
     stream=True with contextlib.closing.
   - Prevent bugs where we would attempt to return the same connection back
     to the connection pool twice when sending a Chunked body.
   - Digest Auth support is now thread safe.
   - Resolved several bugs involving chunked transfer encoding and response
     framing.
   - Copy a PreparedRequest's CookieJar more reliably.
   - Support bytearrays when passed as parameters in the "files" argument.
   - Avoid data duplication when creating a request with "str", "bytes", or
     "bytearray" input to the "files" argument.
   - "Connection: keep-alive" header is now sent automatically.
   - Support for connect timeouts. Timeout now accepts a tuple (connect,
     read) which is used to set individual connect and read timeouts.

   For a comprehensive list of changes please refer to the package's change
   log or the Release Notes at
   http://docs.python-requests.org/en/latest/community/updates/#id3

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Compute 5:

      zypper in -t patch SUSE-SLE12-CLOUD-5-2016-80=1

   - SUSE Linux Enterprise Server 12-SP1:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-80=1

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2016-80=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-80=1

   - SUSE Linux Enterprise High Availability 12:

      zypper in -t patch SUSE-SLE-HA-12-2016-80=1

   - SUSE Linux Enterprise Desktop 12-SP1:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-80=1

   - SUSE Enterprise Storage 2:

      zypper in -t patch SUSE-Storage-2-2016-80=1

   - SUSE Enterprise Storage 1.0:

      zypper in -t patch SUSE-Storage-1.0-2016-80=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE OpenStack Cloud Compute 5 (noarch):

      python-requests-2.8.1-6.9.1

   - SUSE Linux Enterprise Server 12-SP1 (noarch):

      python-requests-2.8.1-6.9.1

   - SUSE Linux Enterprise Server 12 (noarch):

      python-requests-2.8.1-6.9.1

   - SUSE Linux Enterprise Module for Public Cloud 12 (noarch):

      python-requests-2.8.1-6.9.1

   - SUSE Linux Enterprise High Availability 12 (noarch):

      python-requests-2.8.1-6.9.1

   - SUSE Linux Enterprise Desktop 12-SP1 (noarch):

      python-requests-2.8.1-6.9.1

   - SUSE Enterprise Storage 2 (noarch):

      python-requests-2.8.1-6.9.1

   - SUSE Enterprise Storage 1.0 (noarch):

      python-requests-2.8.1-6.9.1

References:

   https://www.suse.com/security/cve/CVE-2015-2296.html
   https://bugzilla.suse.com/922448
   https://bugzilla.suse.com/929736
   https://bugzilla.suse.com/961596