Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 11 Dec 2014 02:26:50 +0000
From: Alex Gaynor <alex.gaynor@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request: Python, standard library HTTP clients

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I'm request a CVE for CPython (sometimes Python), for failure to validate
certificates in the HTTP client with TLS.

Title: Python standard HTTP libraries fail to validate TLS certificates for
HTTPS
Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to
3.4.3
Description:

When Python's standard library HTTP clients (httplib, urllib, urllib2,
xmlrpclib) are used to access resources with HTTPS, by default the
certificate
is not checked against any trust store, nor is the hostname in the
certificate
checked against the requested host. It was possible to configure a trust
root
to be checked against, however there were no faculties for hostname
checking.

This made MITM attacks against the HTTP clients trivial, and violated RFC
2818
(http://tools.ietf.org/html/rfc2818#section-3).

Python 2.7.9 has been issued to resolve this issue. It is also resolved in
3.4.3, which has not yet been released.

Thanks,
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUiQDDAAoJEBJfXGff6UCEAAkP+gOsOCZW2BHtZcUq+zuzNh8/
lZZZDJeyXGnaneTAI3PcaV6ep4F//N+kYbpnKNKFvj7xs6VI5w/8935Uj9LRKs3Q
cGqJfZlBOZnPrsm/T9AnCkOSoiyCXr38zVi2VJi0G3i/iyUm0pGExffjH2ra0P2w
HjHUl/6+WuzS1JTVkxrKQilv/gG+OC8H7uTpCWLbo6bt/mWG2AB33uI67CHwD12H
puah4NfeGGMw1WNhZ1pe0RGdZ6jyiMJv7dMbNDlVyqqTuCC27mzrVCq3NpCWGgRj
xjdgKSg4NoS8v4yct5Wi3depDksFx8mQmuGO/5K6UIzYKR2AhFtx/tSLnrig4rPR
9qoz9qVhOWjBPI0N80I1OxYhRXdbugIInQH2Otd0H+zQksZs2I549UFpFEz3yDrP
NwHOOxnxf8blJKwkY3eoyKd5ZoPozIsfqyv5MZxPkRmV5pUZW2RpHxfSD+m9S5Ug
iUDJido94swWHW2fXhZXChjWYJzPyFxyvKILegQrSbmyG3N/OlusF5IM9AXgrr09
2n48O6JfOzetg+5aOEAn9nv52xxuqRInJjyKPNyR2mSjyrREGOGvjCDfmMJYp3Ba
2J8lZEQZYhavnM3xM6ZsogV20QrqWK+jOl8afKctyae9uwRJu71CRaRbKvJd7Qtd
DzUVQo9UJnNanbKFsz5T
=dPDp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.