Bug 1160886 - (CVE-2014-8650) VUL-0: CVE-2014-8650: python-requests-kerberos: python-requests-kerberos: improper handling of mutual authentication
(CVE-2014-8650)
VUL-0: CVE-2014-8650: python-requests-kerberos: python-requests-kerberos: imp...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/110592/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-14 10:27 UTC by Alexandros Toptsoglou
Modified: 2020-01-14 10:28 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-01-14 10:27:04 UTC
CVE-2014-8650

    https://github.com/requests/requests-kerberos/pull/36
    https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6
    https://pypi.python.org/pypi/requests-kerberos


    A fix was merged and released today for the package which performs
    kerberos authentication when using python-requests. Prior to this,
    every version of the package did not properly handle mutual
    authentication which means that the client did not verify that the
    user was communicating with a trusted server. The version which
    contains the fix is 0.6 and all prior versions are considered
    vulnerable.


    This bug, however, prevented the mutual authentication code from being
    executed, so it's possible that users think they're talking to a
    trusted server, but they're not.


    requests_kerberos/kerberos_.py


    Make certain that responses always pass through handle_other() to provide mutual
    authentication before returning them to the user.


    0.6: 2014-11-04
    Handle mutual authentication (see pull request 36)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8650
https://bugzilla.redhat.com/show_bug.cgi?id=1161650
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8650
http://www.openwall.com/lists/oss-security/2014/11/07/1
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8650.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8650
https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6
http://www.securityfocus.com/bid/70909
https://security-tracker.debian.org/tracker/CVE-2014-8650
http://cve.mitre.org/cve/request_id.html
Comment 1 Alexandros Toptsoglou 2020-01-14 10:28:34 UTC
The fixed introduced in version 0.6. The older version that we ship is 0.10 and thus none of our codestreams is affected.