Bug 855320
| Summary: | python-requests: Embedded urllib3 does not perform SSL certificates verification by default | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | a.badger, lmacken, rbean, sagarun | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-04-09 03:48:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 855322, 855323 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2012-09-07 11:39:40 UTC
This issue affects the versions of the python-requests package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the python-requests package, as shipped with Fedora EPEL 6. Please schedule an update. Created python-requests tracking bugs for this issue Affects: fedora-all [bug 855322] Affects: epel-6 [bug 855323] Reproducer ( from https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054/comments/0 ): The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd: #!/usr/bin/python from urllib3 import HTTPSConnectionPool http_pool = VerifiedHTTPSConnection('www.google.com') r = http_pool.urlopen('GET', '/', redirect=False) print r.status, r.headers.get('location') r = http_pool.urlopen('GET', '/', redirect=True) print r.status, len(r.data) Changing it to use: http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt') Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to. CVE request: [5] http://www.openwall.com/lists/oss-security/2012/09/07/7 Created attachment 610700 [details]
Local copy of the Ubuntu patch
I sent an email to the creator of python-requests couple of days back , here is the response i got from him. My email: ----------------- Hi Kenneth, Just sending this for your information , in case you haven't noticed it before. There has been a vulnerability reported in urllib3 library which is embedded in python-requests. I have been asked to fix it and schedule an update. Please check https://bugzilla.redhat.com/show_bug.cgi?id=855320 and http://www.openwall.com/lists/oss-security/2012/09/07/7 His response: ------------------- This seems like a design decision, not a vulnerability. Requests performs certificate verification by default. Any way i will schedule an update using this patch, I will also try remove the bundling of urllib3 if i can. Not fixed as of 2012-02-04, Fedora 17. Fixed with python-urllib3-1.5-5 and python-requests-1.1.0-3 https://admin.fedoraproject.org/updates/python-urllib3 https://admin.fedoraproject.org/updates/python-requests |