Bug 951594 (CVE-2013-2191)

Summary: CVE-2013-2191 python-bugzilla: Does not verify Bugzilla server certificate
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkabrda, crobinso, dmalcolm, dzickus, jlieskov, jrusnack, notting, security-response-team, thoger, wwoods
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20130619,reported=20130412,source=redhat,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,fedora-all/python-bugzilla=affected,epel-all/python-bugzilla=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-10 01:36:52 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 975961, 975962    
Bug Blocks: 951587, 958831    

Description Florian Weimer 2013-04-12 10:21:57 EDT
python-bugzilla uses the default xmlrpclib transports, which are based on classes in httplib which do not perform server certificate checking.  As a result, man-in-the-middle attacks on the HTTPS connection are possible.
Comment 19 Jan Lieskovsky 2013-06-19 12:10:04 EDT
It was found that python-bugzilla, a Python library for interacting with Bugzilla instances over XML-RPC functionality, did not perform X.509 certificate verification when using secured SSL connection. A man-in-the-middle (MiTM) attacker could use this flaw to spoof Bugzilla server via an arbitrary certificate.

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Comment 20 Jan Lieskovsky 2013-06-19 12:15:58 EDT
The CVE identifier of CVE-2013-2191 has been assigned to this issue.
Comment 21 Jan Lieskovsky 2013-06-19 12:21:21 EDT
This issue affects the versions of the python-bugzilla package, as shipped with Fedora release of 17 and 18.

This issue affects the versions of the python-bugzilla package, as shipped with Fedora EPEL-5 and Fedora EPEL-6.
Comment 23 Jan Lieskovsky 2013-06-19 12:55:54 EDT
Created python-bugzilla tracking bugs for this issue

Affects: fedora-all [bug 975961]
Affects: epel-all [bug 975962]
Comment 24 Fedora Update System 2013-06-29 14:49:30 EDT
python-bugzilla-0.9.0-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2013-07-08 16:10:23 EDT
python-bugzilla-0.9.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2013-07-09 21:24:53 EDT
python-bugzilla-0.9.0-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2013-07-09 21:32:23 EDT
python-bugzilla-0.9.0-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.