It was reported that urllib3, a Python HTTP library with thread-safe connection pooling and file post support, did not perform SSL certificates verification by default. A rogue HTTP server could use this flaw to conduct man-in-the-middle (MITM) attacks. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686872 [2] https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054 Patch applied by the Ubuntu Linux distribution: [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=python-urllib3_1.3-2ubuntu1.debdiff;att=1;bug=686872
This issue affects the versions of the python-requests package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the python-requests package, as shipped with Fedora EPEL 6. Please schedule an update.
Created python-requests tracking bugs for this issue Affects: fedora-all [bug 855322] Affects: epel-6 [bug 855323]
Reproducer ( from https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054/comments/0 ): The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd: #!/usr/bin/python from urllib3 import HTTPSConnectionPool http_pool = VerifiedHTTPSConnection('www.google.com') r = http_pool.urlopen('GET', '/', redirect=False) print r.status, r.headers.get('location') r = http_pool.urlopen('GET', '/', redirect=True) print r.status, len(r.data) Changing it to use: http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt') Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.
CVE request: [5] http://www.openwall.com/lists/oss-security/2012/09/07/7
Created attachment 610700 [details] Local copy of the Ubuntu patch
I sent an email to the creator of python-requests couple of days back , here is the response i got from him. My email: ----------------- Hi Kenneth, Just sending this for your information , in case you haven't noticed it before. There has been a vulnerability reported in urllib3 library which is embedded in python-requests. I have been asked to fix it and schedule an update. Please check https://bugzilla.redhat.com/show_bug.cgi?id=855320 and http://www.openwall.com/lists/oss-security/2012/09/07/7 His response: ------------------- This seems like a design decision, not a vulnerability. Requests performs certificate verification by default. Any way i will schedule an update using this patch, I will also try remove the bundling of urllib3 if i can.
Not fixed as of 2012-02-04, Fedora 17.
Fixed with python-urllib3-1.5-5 and python-requests-1.1.0-3 https://admin.fedoraproject.org/updates/python-urllib3 https://admin.fedoraproject.org/updates/python-requests