From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AE6DE158089 for ; Sun, 17 Sep 2023 06:37:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BE8B12BC107; Sun, 17 Sep 2023 06:35:30 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 587562BC040 for ; Sun, 17 Sep 2023 06:32:30 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id BFBFD335D3A for ; Sun, 17 Sep 2023 06:32:29 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id B3FB78C600 for ; Sun, 17 Sep 2023 06:32:29 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202309-08 ] Requests: Information Leak Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============1914268366441101838==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Sun, 17 Sep 2023 06:32:29 -0000 Message-ID: <169493234973.7.7063727282086953339@eaa400207d9c> X-Archives-Salt: e290ee09-44b9-4d94-ac86-9b88aab12e21 X-Archives-Hash: 028c673a7114c1c83e7ddb8f4d38e69c --===============1914268366441101838== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202309-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Requests: Information Leak Date: September 17, 2023 Bugs: #906970 ID: 202309-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Requests which could result in the disclosure of plaintext secrets. Background ========== Requests is an HTTP library for human beings. Affected packages ================= Package Vulnerable Unaffected ------------------- ------------ ------------ dev-python/requests < 2.31.0 >= 2.31.0 Description =========== Requests is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin with authentication credentials encoded into the URL. Impact ====== Users' proxy authentication secrets could be disclosed to parties beyond the used HTTP proxy server. Workaround ========== There is no known workaround at this time. Resolution ========== All Requests users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/requests-2.31.0" References ========== [ 1 ] CVE-2023-32681 https://nvd.nist.gov/vuln/detail/CVE-2023-32681 [ 2 ] GHSA-j8r2-6x86-q33q Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202309-08 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============1914268366441101838== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmUGnX0ACgkQFMQkOaVy +9le3w/+Pk47vlj6dG/SyHUIosJ/xyJBbJAf+izyWSKyH0vNUFP+raSxujHpO9w/ m+vFrrdn727OqGdMPE5OzBA+0XT53bdNGQCjm6vjqYNmPbK6StlIxjlQIQme4KyE Xfv2iqEJerVzv5K6ghm6KY7PD5F2vZOuUcxSjaZPbtZ/mk2C1arQugfCc5Yo7bvT JLz2VFRefg2+2TcnlbySabqIkijQGbU+kW54kNrPcomgz55tfCiIwdBxFkwch1S3 4jRjNVtu9rog7XjWFgEmbcw4/JwnOvvLPNjwgd3qzQ+G9EwJf8jjXbB1hnGJi/Gc yYSKrOzix9ZFzeSsiXV3e8dGmF2Iai3B2prfBiqFfOPWV+uUIBQZkSOeyvgzK+tW 73oj38ssIOTGMXO+n2mUQxeHKamJ/Ii/5dyQNPIZS0TuL9f+LvvnOVhdjeD+RtEB GDMATneQYTp4nRN/K7qVdYligVB8G222Q5GgWKm+eogGIb0bQIWVJ0EEM0NIdj2g gzkh1N40rczIlN/7g08xlYZ4+xjkJDSeRF8w8rtZSqUa3EYZOl9XGdRZ3LxE1AH+ wNahij+pWuLe7zOIiGt4cY3D31JKtV/AHr8iKO3YfYAtSWny3obnmZydisw160M5 EAUBLaYbaZ5JnHCfP5Kr/ZmWAGahNk5RzRP5c4j6E7fjkaKAc0c= =TbCW -----END PGP SIGNATURE----- --===============1914268366441101838==--