Accepted requests 2.21.0-1+deb10u1 (source) into oldoldstable
- To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
- Subject: Accepted requests 2.21.0-1+deb10u1 (source) into oldoldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 18 Jun 2023 15:00:23 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: requests_2.21.0-1+deb10u1_source.changes
- Debian-source: requests
- Debian-suite: oldoldstable
- Debian-version: 2.21.0-1+deb10u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=1xTXfWJ2JAl/lBUM0DLQq5s6ZE2k1468xeYbfRUPrYw=; b=c89seiLC+5FqBdSLbJwJI+QYHQ nfDSEgMJZsCAKtaO2MxWroehow1+s0ox5dvaC9Yy+T0qd+vCiPpJg0kY4ggzRDJbScjxzn1qId92j Yc1qZ8o0fVFJa14rwuVu0jAFcmCTOx1HPOG+VTXldpc6KJomKDEcGwBJ1Bg1QFI6EHuw4LJOMWmrM nOV5vEj8k7QFBhF1LcjvbgcwBIVVucly/eLBV7mmyhdyv2iYRoFvI+O80lEQj/nLgL8zRTYygmeBc uxnIhkKVoBqljdLv8jfbUJFQehdj9JgnNg8i0nSrxa9qV3R1epFzn3UkuOTuOUvNmFUKAldWrD2Mj Ad8C8ZCA==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1qAtt9-0030zo-HM@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 Jun 2023 16:48:42 CEST
Source: requests
Architecture: source
Version: 2.21.0-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
e4a82cd345c636b75eba0c5dcecde00de649cbfa 2560 requests_2.21.0-1+deb10u1.dsc
970805c2affcc5b237d86e7308dc4310f16d6f79 111528 requests_2.21.0.orig.tar.gz
3bd80765d3166d4da6262b6ff31c9815cfa7deb6 7720 requests_2.21.0-1+deb10u1.debian.tar.xz
6326ab299603cec2d10b69f473503baea5e33fc0 7412 requests_2.21.0-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
3eaa478b1d9f92f6f762b09affb17f0569e93d3a40a15f46ba5e5db79bbba56e 2560 requests_2.21.0-1+deb10u1.dsc
502a824f31acdacb3a35b6690b5fbf0bc41d63a24a45c4004352b0242707598e 111528 requests_2.21.0.orig.tar.gz
79758c9101c2df6ab4a42742f1fbe2aee813a125ff5a2cb097267b51c7850f12 7720 requests_2.21.0-1+deb10u1.debian.tar.xz
b6ee1cad8eb831ee3ca966543fc3f19397f480041ea807a07b5fc28d09038547 7412 requests_2.21.0-1+deb10u1_amd64.buildinfo
Changes:
requests (2.21.0-1+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2023-32681:
Requests has been leaking Proxy-Authorization headers to destination
servers when redirected to an HTTPS endpoint. For HTTP connections sent
through the tunnel, the proxy will identify the header in the request
itself and remove it prior to forwarding to the destination server. However
when sent over HTTPS, the `Proxy-Authorization` header must be sent in the
CONNECT request as the proxy has no visibility into the tunneled request.
This results in Requests forwarding proxy credentials to the destination
server unintentionally, allowing a malicious actor to potentially
exfiltrate sensitive information.
Files:
69476a91c5d0438afad4374ac21f5d1a 2560 python optional requests_2.21.0-1+deb10u1.dsc
1bcd0e0977c3f8db1848ba0e2b7ab904 111528 python optional requests_2.21.0.orig.tar.gz
26d1df52dae51b4a1c43ba84d6bddda7 7720 python optional requests_2.21.0-1+deb10u1.debian.tar.xz
4e2ac95c49df0cd0ab274fb8c05bcac6 7412 python optional requests_2.21.0-1+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSPGV5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk5kwP/2VLaUbspJnlPIQ/X1XrOjSWp9BOUKKPQyVd
3XLh4DWx4Xj8ze9YbKrfw3Wx6Oe/DtbYVXJd/cQjmGkvb3/HjbNxnasFSJCSEE00
FZXxKnyRDtJQOTb7AHAMlivJYvqnf89KBLYFVgmZiktc4KBVMvt24Q1dFaEtejsP
DMIiFXcU5JFYMGg5Ek6YPuNOFx+hXUOw/3F7+DlXACqDAjKUYv3czzFHrlOh7Nj9
PKaEPzmqKQYiMIB+wugnlCMuU/OsyA1kDxfOmtws515h0F4rn6VgwZPFQJlyO1w1
9I0CRUN/VyzdIFuxGymrjE9rETjHJuAfZBjZY8O6zT7C5FlK3jo9Nrd4TI+/WBml
VBWXJV9HioXmGJkegGxpWrsM/AH2vO558+0BgCVE/ZcDCfpLqNXoMBaEGYm5leXS
JTPsipryivrOaF5AzfwrzZGdEeR3/D2jJHs7KTaZjyMUTUw4AI9Tn/4ApDxbLJl1
t367pIMwGqnpF17lPKLiMxk0UK93apgmSkeK3T6u+FDJwWEAIWdm1Y3/ToTOt3gi
2a2C6nqS5VXQISveQrNGqIkTRWWcKikDj/j4PQQm/MmgsEFYE9J2n5vdLqglrl5Y
bJU1CbNchqpkOZaQepUOsA3KyAff0w/ngNvCd6vsGrYQumK+kKK7NVqTB9dQsKUh
f1FP6jQH
=r3Kb
-----END PGP SIGNATURE-----