oss-sec mailing list archives
CVE Request -- urllib3: Does not check for SSL certificates by default
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 7 Sep 2012 07:50:26 -0400 (EDT)
Hello Kurt, Steve, vendors, it was reported that urllib3, a Python HTTP library with thread-safe connection pooling and file post support, did not perform SSL certificates verification by default. A rogue HTTP server could use this flaw to conduct man-in-the-middle (MITM) attacks. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686872 [2] https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054 [3] https://bugzilla.redhat.com/show_bug.cgi?id=855320 (the bug actually has python-requests in the summary, but only due the fact it contains embedded urllib3) Patch applied by the Ubuntu Linux distribution: [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=python-urllib3_1.3-2ubuntu1.debdiff;att=1;bug=686872 Reproducer: [5] https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/1047054/comments/0 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- urllib3: Does not check for SSL certificates by default Jan Lieskovsky (Sep 07)
- Re: CVE Request -- urllib3: Does not check for SSL certificates by default Jan Lieskovsky (Sep 07)
- Re: CVE Request -- urllib3: Does not check for SSL certificates by default Andrey Petrov (Sep 07)
- Re: CVE Request -- urllib3: Does not check for SSL certificates by default Jan Lieskovsky (Sep 07)