Bug 1274186

Summary: python-requests: Skipping SSL verification when connecting via HTTP proxy
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, abaron, aortega, apevec, ayoung, bkearney, ceph-eng-bugs, chrisw, cpelland, dallan, extras-orphan, gkotton, jschluet, katello-bugs, lhh, lpeer, markmc, mmccune, nlevinki, ohadlevy, python-maint, rbean, rbryant, rfortier, rhos-maint, rhs-bugs, sagarun, sclewis, sgirijan, smohan, ssaha, tdecacqu, tjay, tlestach, vbellur, vkrizan, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-requests 2.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-30 14:48:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1271867, 1274189, 1274190    
Bug Blocks: 1274188    

Description Adam Mariš 2015-10-22 08:32:37 UTC
A vulnerability in python-request package was reported. python-requests does not perform SSL verification when an external HTTPS server is accessed through an HTTP CONNECT proxy. This enables man-in-the-middle attacks against any requests code running on RHEL 6.6 servers behind a proxy.

Reproducer can be found in original product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1271867

Comment 1 Adam Mariš 2015-10-22 08:39:15 UTC
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 1274189]
Affects: epel-all [bug 1274190]

Comment 2 Viliam Križan 2015-10-30 14:33:06 UTC
python-requests in version less than 2.0 does not properly tunnel requests via 
proxy. `HTTPConnection` is used to directly talk to an unsecured proxy through 
http protocol, instead of `HTTPSConnection`, even when the requested URL has the 
https protocol included. Therefore, no SSL connection is established between 
client and proxy server. SSL connection and verification is done only between 
a proxy and an endpoint server.

Tunneled proxing using proxy CONNECT method was introduced in python-requests 
version 2.0 [1]. 

Fixing this issue is not trivial and would require rebasing. 

[1] http://docs.python-requests.org/en/latest/community/updates/#id29

Mitigation:

Use trusted proxy server.

Comment 3 Viliam Križan 2015-10-30 14:41:35 UTC
Statement:

This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 6.7 and 7.

This issue affects the versions of python-requests as shipped with Red Hat Enterprise Linux 6.6. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates because it would require an invasive change in the shipped version of python-requests.