Bug 855320 - python-requests: Embedded urllib3 does not perform SSL certificates verification by default
python-requests: Embedded urllib3 does not perform SSL certificates verificat...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 855322 855323
  Show dependency treegraph
Reported: 2012-09-07 07:39 EDT by Jan Lieskovsky
Modified: 2013-04-08 23:48 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-08 23:48:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Local copy of the Ubuntu patch (1.78 KB, patch)
2012-09-07 07:53 EDT, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2012-09-07 07:39:40 EDT
It was reported that urllib3, a Python HTTP library with thread-safe connection pooling and file post support, did not perform SSL certificates verification by default. A rogue HTTP server could use this flaw to conduct man-in-the-middle (MITM) attacks.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686872
[2] https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054

Patch applied by the Ubuntu Linux distribution:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=python-urllib3_1.3-2ubuntu1.debdiff;att=1;bug=686872
Comment 1 Jan Lieskovsky 2012-09-07 07:42:22 EDT
This issue affects the versions of the python-requests package, as shipped with Fedora release of 16 and 17. Please schedule an update.


This issue affects the version of the python-requests package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-09-07 07:43:21 EDT
Created python-requests tracking bugs for this issue

Affects: fedora-all [bug 855322]
Affects: epel-6 [bug 855323]
Comment 3 Jan Lieskovsky 2012-09-07 07:51:10 EDT
Reproducer ( from https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054/comments/0 ):

The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)

Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')

Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.
Comment 4 Jan Lieskovsky 2012-09-07 07:52:19 EDT
CVE request:
[5] http://www.openwall.com/lists/oss-security/2012/09/07/7
Comment 5 Jan Lieskovsky 2012-09-07 07:53:16 EDT
Created attachment 610700 [details]
Local copy of the Ubuntu patch
Comment 6 Arun S A G 2012-09-10 13:36:57 EDT
I sent an email to the creator of python-requests couple of days back , here is the response i got from him.

My email:

Hi Kenneth,

Just sending this for your information , in case you haven't noticed it before. There has been a vulnerability reported in urllib3 library which is embedded in python-requests. I have been asked to fix it and schedule an update. Please check https://bugzilla.redhat.com/show_bug.cgi?id=855320 and http://www.openwall.com/lists/oss-security/2012/09/07/7

His response:
This seems like a design decision, not a vulnerability.

Requests performs certificate verification by default.

Any way i will schedule an update using this patch, I will also try remove the bundling of urllib3 if i can.
Comment 7 Toshio Ernie Kuratomi 2013-02-04 15:20:40 EST
Not fixed as of 2012-02-04, Fedora 17.
Comment 8 Ralph Bean 2013-04-08 23:48:54 EDT
Fixed with python-urllib3-1.5-5 and python-requests-1.1.0-3


Note You need to log in before you can comment on or make changes to this bug.