Bug 855320 - python-requests: Embedded urllib3 does not perform SSL certificates verification by default
Summary: python-requests: Embedded urllib3 does not perform SSL certificates verificat...
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 855322 855323
TreeView+ depends on / blocked
Reported: 2012-09-07 11:39 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:55 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-04-09 03:48:54 UTC

Attachments (Terms of Use)
Local copy of the Ubuntu patch (1.78 KB, patch)
2012-09-07 11:53 UTC, Jan Lieskovsky
no flags Details | Diff

Description Jan Lieskovsky 2012-09-07 11:39:40 UTC
It was reported that urllib3, a Python HTTP library with thread-safe connection pooling and file post support, did not perform SSL certificates verification by default. A rogue HTTP server could use this flaw to conduct man-in-the-middle (MITM) attacks.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686872
[2] https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054

Patch applied by the Ubuntu Linux distribution:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=python-urllib3_1.3-2ubuntu1.debdiff;att=1;bug=686872

Comment 1 Jan Lieskovsky 2012-09-07 11:42:22 UTC
This issue affects the versions of the python-requests package, as shipped with Fedora release of 16 and 17. Please schedule an update.


This issue affects the version of the python-requests package, as shipped with Fedora EPEL 6. Please schedule an update.

Comment 2 Jan Lieskovsky 2012-09-07 11:43:21 UTC
Created python-requests tracking bugs for this issue

Affects: fedora-all [bug 855322]
Affects: epel-6 [bug 855323]

Comment 3 Jan Lieskovsky 2012-09-07 11:51:10 UTC
Reproducer ( from https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054/comments/0 ):

The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)

Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')

Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.

Comment 4 Jan Lieskovsky 2012-09-07 11:52:19 UTC
CVE request:
[5] http://www.openwall.com/lists/oss-security/2012/09/07/7

Comment 5 Jan Lieskovsky 2012-09-07 11:53:16 UTC
Created attachment 610700 [details]
Local copy of the Ubuntu patch

Comment 6 Arun S A G 2012-09-10 17:36:57 UTC
I sent an email to the creator of python-requests couple of days back , here is the response i got from him.

My email:

Hi Kenneth,

Just sending this for your information , in case you haven't noticed it before. There has been a vulnerability reported in urllib3 library which is embedded in python-requests. I have been asked to fix it and schedule an update. Please check https://bugzilla.redhat.com/show_bug.cgi?id=855320 and http://www.openwall.com/lists/oss-security/2012/09/07/7

His response:
This seems like a design decision, not a vulnerability.

Requests performs certificate verification by default.

Any way i will schedule an update using this patch, I will also try remove the bundling of urllib3 if i can.

Comment 7 Toshio Ernie Kuratomi 2013-02-04 20:20:40 UTC
Not fixed as of 2012-02-04, Fedora 17.

Comment 8 Ralph Bean 2013-04-09 03:48:54 UTC
Fixed with python-urllib3-1.5-5 and python-requests-1.1.0-3


Note You need to log in before you can comment on or make changes to this bug.