Bug 1143802 (CVE-2014-7143)

Summary: CVE-2014-7143 python-twisted-web: specified trustRoot not respected
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jonathansteffan, lemenkov, matthias, python-maint, thomas, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: twisted 14.0.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-18 03:51:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Murray McAllister 2014-09-18 03:49:12 UTC 
The following flaw was reported in the Twisted HTTP client:

""
When specifying the trustRoot (CA store) for the HTTP client, Twisted
did not respect the user's specification, and always used the default
of the platform trust. This means that users attempting to use this
feature to implement certificate pinning, or otherwise restrict the
trust CAs would still have accepted any certificate signed by a CA.
""

It was reported that this issue only affects version 14.0. This version is not in Fedora or Red Hat Enterprise Linux, and source code inspection reveals the patch does not apply.

Upstream fix:

https://twistedmatrix.com/~diffresource.twistd/7647

Original report:

http://www.openwall.com/lists/oss-security/2014/09/17/4
Comment 1 Murray McAllister 2014-09-18 03:51:11 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of python-twisted-web as shipped with Red Hat Enterprise Linux 6 and 7.