Bug 1169296 - python-requests-kerberos 0.6-1.el6 incompatible with python-requests-1.1.0
Summary: python-requests-kerberos 0.6-1.el6 incompatible with python-requests-1.1.0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: python-requests-kerberos
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Dan Callaghan
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-01 09:38 UTC by Steve Traylen
Modified: 2018-04-11 16:53 UTC (History)
5 users (show)

Fixed In Version: python-requests-kerberos-0.7.0-2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-26 16:10:23 UTC


Attachments (Terms of Use)

Description Steve Traylen 2014-12-01 09:38:42 UTC
Hi,

The fix  to CVE-2014-8650 in 

* python-requests-kerberos 0.6-1.el6

https://github.com/requests/requests-kerberos/pull/36

requires a newer python-requests to handle this fix.

In particular 1.2 is required 


Currently we see:

MutualAuthenticationError: Unable to authenticate <Response [200]>

The 1.2.0 release of requests changed this area in interaction 
between requests and requests-kerberos.

https://github.com/kennethreitz/requests/blob/master/HISTORY.rst


For reference, our downstream bug:
https://its.cern.ch/jira/browse/AI-4070

Comment 1 Dan Callaghan 2015-01-09 05:05:36 UTC
Sorry, I must have accidentally tested this update with a newer version of requests (we are using 2.3 on EL6 for various reasons).

I will take a look this weekend to see whether I can get it working with older requests.

The fix for mutual authentication that went into requests-kerberos 0.6 is not perfect anyway, we hit an issue which I also need to try and fix...
https://github.com/requests/requests-kerberos/pull/42

Comment 2 Matěj Cepl 2015-01-14 14:18:07 UTC
OK, let me start that I now lobby even more for bug 1162249 to be resolved. I am going to take a look.

Comment 3 Steve Traylen 2015-02-06 14:34:57 UTC
This applies to EPEL7 also which has python-requests-1.1.0-8.el7 

Unfortunately I can't read bug 1162249.

Comment 4 Matěj Cepl 2015-02-06 14:57:10 UTC
(In reply to Steve Traylen from comment #3)
> This applies to EPEL7 also which has python-requests-1.1.0-8.el7 
> 
> Unfortunately I can't read bug 1162249.

I don't think that bug matters here ... an internal Red Hat tool used python-requests and it broke on EPEL-7. Fortunately, it has been now rewritten to use just plain urllib2 (and urllib2_kerberos) so this issue doesn't apply to it anymore.

Comment 5 Dan Callaghan 2015-06-11 04:37:22 UTC
Sorry for the delay in getting to this bug.

(In reply to Steve Traylen from comment #3)
> This applies to EPEL7 also which has python-requests-1.1.0-8.el7 

RHEL7 is rebasing python-requests to 2.6 in RHEL7.2, which should fix this problem: bug 1214365.

For RHEL6, it looks like python-requests 2.6 will also appear in RHEL6.7, at which point the EPEL package will be retired: bug 1176248.

I will also take a look at how much work it will be to adjust requests-kerberos to work with requests 1.1 in the meantime.

Comment 6 Dan Callaghan 2015-06-11 05:04:52 UTC
Workaround is to disable mutual authentication:

    ...auth=requests_kerberos.HTTPKerberosAuth(mutual_authentication=requests_kerberos.DISABLED)...

Comment 7 Dan Callaghan 2015-06-11 06:20:39 UTC
Reported upstream, with analysis and a potential fix: https://github.com/requests/requests-kerberos/issues/54

Comment 8 Fedora Update System 2015-06-11 06:58:18 UTC
python-requests-kerberos-0.7.0-2.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/python-requests-kerberos-0.7.0-2.el7

Comment 9 Fedora Update System 2015-06-11 06:58:47 UTC
python-requests-kerberos-0.7.0-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/python-requests-kerberos-0.7.0-2.el6

Comment 10 Fedora Update System 2015-06-11 18:45:31 UTC
Package python-requests-kerberos-0.7.0-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-requests-kerberos-0.7.0-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-6654/python-requests-kerberos-0.7.0-2.el6
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2015-06-26 16:10:23 UTC
python-requests-kerberos-0.7.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-06-26 16:10:31 UTC
python-requests-kerberos-0.7.0-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.