In stable we release python-opsi 4.0.6.46.1-1.
On server operating systems using a Python version with the patch for Python bug 22928 the changes made with that patch result in newline characters (\n) being not allowed anymore in HTTP headers.
This patch addresses the problems described in CVE-2016-5699.
The effect on opsi is that i.e. installing a package on a depot results in an "Invalid header value" error message and the installation not taking place.
Even though only depots with an ID longer than 24 characters seem to be affected we strongly advice installing this update.
With kind regards
Niko Wenselowski
PS: Changelog:
Code: Alles auswählen
python-opsi (4.0.6.46.1-1) stable; urgency=medium
* Using the new-style base64 Python interface to avoid breaking with
combinations of username and password that exceed 72 characters and
lead to newlines in the base64-encoded authentication header.
This is in response to CVE-2016-5699 / Python bug 22928 as these
patched Python versions may lead to breaks on some systems.
-- Niko Wenselowski <n.wenselowski@uib.de> Wed, 22 Jun 2016 17:28:31 +0200