Bug 1144907 (CVE-2014-1830)

Summary: CVE-2014-1830 python-requests: Proxy-Authorization header leak
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aavati, abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, dallan, edewata, erik, gkotton, grocha, katello-bugs, lhh, lpeer, markmc, mmccune, nlevinki, poelstra, rbean, rbryant, rfortier, rhos-maint, rhs-bugs, sagarun, sclewis, sisharma, smohan, ssaha, tjay, vbellur, wmealing, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: requests 2.3.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-20 18:19:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1046627, 1046628, 1144910    
Bug Blocks: 1046630    

Description Arun Babu Neelicattu 2014-09-22 01:02:00 UTC 
It was discovered that the python-requests Proxy-Authorization header was never re-evaluated when a redirect occurs. The Proxy-Authorization header was sent to any new proxy or non-proxy destination as redirected.

References:

https://github.com/kennethreitz/requests/issues/1885#issuecomment-33793651
Comment 1 Arun Babu Neelicattu 2014-09-22 01:03:43 UTC 
Upstream Issue:

https://github.com/kennethreitz/requests/issues/1885

Upstream Commit:

https://github.com/kennethreitz/requests/commit/4d8cb3244e8e4f84b250c10a48e025f9a8bf6137
Comment 3 Arun Babu Neelicattu 2014-09-22 01:10:00 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/python/2014/1830.yaml
Comment 4 Arun Babu Neelicattu 2014-09-22 01:15:41 UTC 
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 1046627]
Affects: epel-7 [bug 1144910]
Affects: epel-6 [bug 1046628]
Comment 6 Vincent Danen 2015-01-20 18:19:45 UTC 
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.