CVE request: Python, standard library HTTP clients

[Alex Gaynor <alex.gaynor () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I'm request a CVE for CPython (sometimes Python), for failure to validate
certificates in the HTTP client with TLS.

Title: Python standard HTTP libraries fail to validate TLS certificates for
HTTPS
Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to
3.4.3
Description:

When Python's standard library HTTP clients (httplib, urllib, urllib2,
xmlrpclib) are used to access resources with HTTPS, by default the
certificate
is not checked against any trust store, nor is the hostname in the
certificate
checked against the requested host. It was possible to configure a trust
root
to be checked against, however there were no faculties for hostname
checking.

This made MITM attacks against the HTTP clients trivial, and violated RFC
2818
(http://tools.ietf.org/html/rfc2818#section-3).

Python 2.7.9 has been issued to resolve this issue. It is also resolved in
3.4.3, which has not yet been released.

Thanks,
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUiQDDAAoJEBJfXGff6UCEAAkP+gOsOCZW2BHtZcUq+zuzNh8/
lZZZDJeyXGnaneTAI3PcaV6ep4F//N+kYbpnKNKFvj7xs6VI5w/8935Uj9LRKs3Q
cGqJfZlBOZnPrsm/T9AnCkOSoiyCXr38zVi2VJi0G3i/iyUm0pGExffjH2ra0P2w
HjHUl/6+WuzS1JTVkxrKQilv/gG+OC8H7uTpCWLbo6bt/mWG2AB33uI67CHwD12H
puah4NfeGGMw1WNhZ1pe0RGdZ6jyiMJv7dMbNDlVyqqTuCC27mzrVCq3NpCWGgRj
xjdgKSg4NoS8v4yct5Wi3depDksFx8mQmuGO/5K6UIzYKR2AhFtx/tSLnrig4rPR
9qoz9qVhOWjBPI0N80I1OxYhRXdbugIInQH2Otd0H+zQksZs2I549UFpFEz3yDrP
NwHOOxnxf8blJKwkY3eoyKd5ZoPozIsfqyv5MZxPkRmV5pUZW2RpHxfSD+m9S5Ug
iUDJido94swWHW2fXhZXChjWYJzPyFxyvKILegQrSbmyG3N/OlusF5IM9AXgrr09
2n48O6JfOzetg+5aOEAn9nv52xxuqRInJjyKPNyR2mSjyrREGOGvjCDfmMJYp3Ba
2J8lZEQZYhavnM3xM6ZsogV20QrqWK+jOl8afKctyae9uwRJu71CRaRbKvJd7Qtd
DzUVQo9UJnNanbKFsz5T
=dPDp
-----END PGP SIGNATURE-----