Hi, The fix to CVE-2014-8650 in * python-requests-kerberos 0.6-1.el6 https://github.com/requests/requests-kerberos/pull/36 requires a newer python-requests to handle this fix. In particular 1.2 is required Currently we see: MutualAuthenticationError: Unable to authenticate <Response [200]> The 1.2.0 release of requests changed this area in interaction between requests and requests-kerberos. https://github.com/kennethreitz/requests/blob/master/HISTORY.rst For reference, our downstream bug: https://its.cern.ch/jira/browse/AI-4070
Sorry, I must have accidentally tested this update with a newer version of requests (we are using 2.3 on EL6 for various reasons). I will take a look this weekend to see whether I can get it working with older requests. The fix for mutual authentication that went into requests-kerberos 0.6 is not perfect anyway, we hit an issue which I also need to try and fix... https://github.com/requests/requests-kerberos/pull/42
OK, let me start that I now lobby even more for bug 1162249 to be resolved. I am going to take a look.
This applies to EPEL7 also which has python-requests-1.1.0-8.el7 Unfortunately I can't read bug 1162249.
(In reply to Steve Traylen from comment #3) > This applies to EPEL7 also which has python-requests-1.1.0-8.el7 > > Unfortunately I can't read bug 1162249. I don't think that bug matters here ... an internal Red Hat tool used python-requests and it broke on EPEL-7. Fortunately, it has been now rewritten to use just plain urllib2 (and urllib2_kerberos) so this issue doesn't apply to it anymore.
Sorry for the delay in getting to this bug. (In reply to Steve Traylen from comment #3) > This applies to EPEL7 also which has python-requests-1.1.0-8.el7 RHEL7 is rebasing python-requests to 2.6 in RHEL7.2, which should fix this problem: bug 1214365. For RHEL6, it looks like python-requests 2.6 will also appear in RHEL6.7, at which point the EPEL package will be retired: bug 1176248. I will also take a look at how much work it will be to adjust requests-kerberos to work with requests 1.1 in the meantime.
Workaround is to disable mutual authentication: ...auth=requests_kerberos.HTTPKerberosAuth(mutual_authentication=requests_kerberos.DISABLED)...
Reported upstream, with analysis and a potential fix: https://github.com/requests/requests-kerberos/issues/54
python-requests-kerberos-0.7.0-2.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/python-requests-kerberos-0.7.0-2.el7
python-requests-kerberos-0.7.0-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/python-requests-kerberos-0.7.0-2.el6
Package python-requests-kerberos-0.7.0-2.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing python-requests-kerberos-0.7.0-2.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-6654/python-requests-kerberos-0.7.0-2.el6 then log in and leave karma (feedback).
python-requests-kerberos-0.7.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
python-requests-kerberos-0.7.0-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.