Bug 1274186
Summary: | python-requests: Skipping SSL verification when connecting via HTTP proxy | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aavati, abaron, aortega, apevec, ayoung, bkearney, ceph-eng-bugs, chrisw, cpelland, dallan, extras-orphan, gkotton, jschluet, katello-bugs, lhh, lpeer, markmc, mmccune, nlevinki, ohadlevy, python-maint, rbean, rbryant, rfortier, rhos-maint, rhs-bugs, sagarun, sclewis, sgirijan, smohan, ssaha, tdecacqu, tjay, tlestach, vbellur, vkrizan, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-requests 2.0 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-30 14:48:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1271867, 1274189, 1274190 | ||
Bug Blocks: | 1274188 |
Description
Adam Mariš
2015-10-22 08:32:37 UTC
Created python-requests tracking bugs for this issue: Affects: fedora-all [bug 1274189] Affects: epel-all [bug 1274190] python-requests in version less than 2.0 does not properly tunnel requests via proxy. `HTTPConnection` is used to directly talk to an unsecured proxy through http protocol, instead of `HTTPSConnection`, even when the requested URL has the https protocol included. Therefore, no SSL connection is established between client and proxy server. SSL connection and verification is done only between a proxy and an endpoint server. Tunneled proxing using proxy CONNECT method was introduced in python-requests version 2.0 [1]. Fixing this issue is not trivial and would require rebasing. [1] http://docs.python-requests.org/en/latest/community/updates/#id29 Mitigation: Use trusted proxy server. Statement: This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 6.7 and 7. This issue affects the versions of python-requests as shipped with Red Hat Enterprise Linux 6.6. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates because it would require an invasive change in the shipped version of python-requests. |