1143802 – (CVE-2014-7143) CVE-2014-7143 python-twisted-web: specified trustRoot not respected

Bug 1143802 (CVE-2014-7143) - CVE-2014-7143 python-twisted-web: specified trustRoot not respected

Summary: CVE-2014-7143 python-twisted-web: specified trustRoot not respected

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-7143
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-18 03:49 UTC by Murray McAllister
Modified:	2021-02-17 06:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:	twisted 14.0.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-18 03:51:11 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-09-18 03:49:12 UTC

The following flaw was reported in the Twisted HTTP client:

""
When specifying the trustRoot (CA store) for the HTTP client, Twisted
did not respect the user's specification, and always used the default
of the platform trust. This means that users attempting to use this
feature to implement certificate pinning, or otherwise restrict the
trust CAs would still have accepted any certificate signed by a CA.
""

It was reported that this issue only affects version 14.0. This version is not in Fedora or Red Hat Enterprise Linux, and source code inspection reveals the patch does not apply.

Upstream fix:

https://twistedmatrix.com/~diffresource.twistd/7647

Original report:

http://www.openwall.com/lists/oss-security/2014/09/17/4

Comment 1 Murray McAllister 2014-09-18 03:51:11 UTC

Statement:

Not vulnerable. This issue did not affect the versions of python-twisted-web as shipped with Red Hat Enterprise Linux 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.