A vulnerability in python-request package was reported. python-requests does not perform SSL verification when an external HTTPS server is accessed through an HTTP CONNECT proxy. This enables man-in-the-middle attacks against any requests code running on RHEL 6.6 servers behind a proxy. Reproducer can be found in original product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1271867
Created python-requests tracking bugs for this issue: Affects: fedora-all [bug 1274189] Affects: epel-all [bug 1274190]
python-requests in version less than 2.0 does not properly tunnel requests via proxy. `HTTPConnection` is used to directly talk to an unsecured proxy through http protocol, instead of `HTTPSConnection`, even when the requested URL has the https protocol included. Therefore, no SSL connection is established between client and proxy server. SSL connection and verification is done only between a proxy and an endpoint server. Tunneled proxing using proxy CONNECT method was introduced in python-requests version 2.0 [1]. Fixing this issue is not trivial and would require rebasing. [1] http://docs.python-requests.org/en/latest/community/updates/#id29 Mitigation: Use trusted proxy server.
Statement: This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 6.7 and 7. This issue affects the versions of python-requests as shipped with Red Hat Enterprise Linux 6.6. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates because it would require an invasive change in the shipped version of python-requests.