Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Dec 2014 02:26:50 +0000
From: Alex Gaynor <alex.gaynor@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request: Python, standard library HTTP clients

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I'm request a CVE for CPython (sometimes Python), for failure to validate
certificates in the HTTP client with TLS.

Title: Python standard HTTP libraries fail to validate TLS certificates for
HTTPS
Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to
3.4.3
Description:

When Python's standard library HTTP clients (httplib, urllib, urllib2,
xmlrpclib) are used to access resources with HTTPS, by default the
certificate
is not checked against any trust store, nor is the hostname in the
certificate
checked against the requested host. It was possible to configure a trust
root
to be checked against, however there were no faculties for hostname
checking.

This made MITM attacks against the HTTP clients trivial, and violated RFC
2818
(http://tools.ietf.org/html/rfc2818#section-3).

Python 2.7.9 has been issued to resolve this issue. It is also resolved in
3.4.3, which has not yet been released.

Thanks,
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUiQDDAAoJEBJfXGff6UCEAAkP+gOsOCZW2BHtZcUq+zuzNh8/
lZZZDJeyXGnaneTAI3PcaV6ep4F//N+kYbpnKNKFvj7xs6VI5w/8935Uj9LRKs3Q
cGqJfZlBOZnPrsm/T9AnCkOSoiyCXr38zVi2VJi0G3i/iyUm0pGExffjH2ra0P2w
HjHUl/6+WuzS1JTVkxrKQilv/gG+OC8H7uTpCWLbo6bt/mWG2AB33uI67CHwD12H
puah4NfeGGMw1WNhZ1pe0RGdZ6jyiMJv7dMbNDlVyqqTuCC27mzrVCq3NpCWGgRj
xjdgKSg4NoS8v4yct5Wi3depDksFx8mQmuGO/5K6UIzYKR2AhFtx/tSLnrig4rPR
9qoz9qVhOWjBPI0N80I1OxYhRXdbugIInQH2Otd0H+zQksZs2I549UFpFEz3yDrP
NwHOOxnxf8blJKwkY3eoyKd5ZoPozIsfqyv5MZxPkRmV5pUZW2RpHxfSD+m9S5Ug
iUDJido94swWHW2fXhZXChjWYJzPyFxyvKILegQrSbmyG3N/OlusF5IM9AXgrr09
2n48O6JfOzetg+5aOEAn9nv52xxuqRInJjyKPNyR2mSjyrREGOGvjCDfmMJYp3Ba
2J8lZEQZYhavnM3xM6ZsogV20QrqWK+jOl8afKctyae9uwRJu71CRaRbKvJd7Qtd
DzUVQo9UJnNanbKFsz5T
=dPDp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.