oss-sec mailing list archives

Re: CVE-2013-2073 transifex-client: Does not validate HTTPS server certificate (fixed in transifex-client v0.9)

From: Tomas Hoger <thoger () redhat com>
Date: Fri, 13 Dec 2013 14:30:18 +0100

On Wed, 22 May 2013 11:46:39 -0400 (EDT) Jan Lieskovsky wrote:

It was found that Transifex command-line client, a command line
tool for Transifex translation management, did not perform X.509
certificate verification when using secured SSL connection. A
man-in-the-middle attacker could use this flaw to spoof a Transifex
server via an arbitrary certificate.

The CVE identifier of CVE-2013-2073 has been allocated to this issue.


The way certificate check was implemented to fix CVE-2013-2073 was
incorrect (check was done on "probe" connection, but not the actual
connection used to transfer data).  This should now be fixed in 0.10
(I can't confirm atm), which switches to use urllib3 with proper
certificate checks.

https://github.com/transifex/transifex-client/issues/42
https://github.com/transifex/transifex-client/commit/6d69d61

This should get a new CVE.

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

Re: CVE-2013-2073 transifex-client: Does not validate HTTPS server certificate (fixed in transifex-client v0.9) Tomas Hoger (Dec 13)
- Re: CVE-2013-2073 transifex-client: Does not validate HTTPS server certificate (fixed in transifex-client v0.9) cve-assign (Dec 15)
  - Re: Re: CVE-2013-2073 transifex-client: Does not validate HTTPS server certificate (fixed in transifex-client v0.9) Tomas Hoger (Dec 16)
    - Re: Re: CVE-2013-2073 transifex-client: Does not validate HTTPS server certificate (fixed in transifex-client v0.9) Kurt Seifried (Dec 16)