oss-sec mailing list archives
Re: CVE request: Python, standard library HTTP clients
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Wed, 10 Dec 2014 21:57:09 -0500 (EST)
On Thu, 11 Dec 2014 02:26:50 +0000, Alex Gaynor <alex.gaynor () gmail com> wrote:
I'm request a CVE for CPython (sometimes Python), for failure to validate certificates in the HTTP client with TLS. Title: Python standard HTTP libraries fail to validate TLS certificates for HTTPS Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to 3.4.3 Description: When Python's standard library HTTP clients (httplib, urllib, urllib2, xmlrpclib) are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against the requested host. It was possible to configure a trust root to be checked against, however there were no faculties for hostname checking.
...
Python 2.7.9 has been issued to resolve this issue. It is also resolved in 3.4.3, which has not yet been released.
Awesome!! I am *DELIGHTED* that this serious problem is finally getting fixed. Thank you for your effort! For those curious about this, more information about this is in PEP 0476: http://legacy.python.org/dev/peps/pep-0476/ and these articles: https://lwn.net/Articles/582065/ https://lwn.net/Articles/611243/ This has been the underlying cause of numerous CVEs going back to at least 2010, e.g.: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4340 but the CVEs have always been assigned (to my knowledge) to the applications using Python, and never the library that didn't provide the functionality that developers often expected. I expect a lot of silent vulnerabilities will be removed by this change. --- David A. Wheeler
Current thread:
- CVE request: Python, standard library HTTP clients Alex Gaynor (Dec 10)
- Re: CVE request: Python, standard library HTTP clients David A. Wheeler (Dec 10)
- Re: CVE request: Python, standard library HTTP clients cve-assign (Dec 11)