Re: CVE request: Python, standard library HTTP clients

["David A. Wheeler" <dwheeler () dwheeler com>]

On Thu, 11 Dec 2014 02:26:50 +0000, Alex Gaynor <alex.gaynor () gmail com> wrote:
> I'm request a CVE for CPython (sometimes Python), for failure to validate
> certificates in the HTTP client with TLS.
>
> Title: Python standard HTTP libraries fail to validate TLS certificates for HTTPS
> Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to 3.4.3
> Description:
>
> When Python's standard library HTTP clients (httplib, urllib, urllib2,
> xmlrpclib) are used to access resources with HTTPS, by default the certificate
> is not checked against any trust store, nor is the hostname in the certificate
> checked against the requested host. It was possible to configure a trust
> root to be checked against, however there were no faculties for hostname
> checking.
...
> Python 2.7.9 has been issued to resolve this issue. It is also resolved in
> 3.4.3, which has not yet been released.

Awesome!! I am *DELIGHTED* that this serious problem is finally getting fixed.
Thank you for your effort!  For those curious about this,
more information about this is in PEP 0476:
  http://legacy.python.org/dev/peps/pep-0476/
and these articles:
  https://lwn.net/Articles/582065/
  https://lwn.net/Articles/611243/

This has been the underlying cause of numerous CVEs going back to at least 2010, e.g.:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4340
but the CVEs have always been assigned (to my knowledge) to the applications
using Python, and never the library that didn't provide the functionality that developers
often expected.  I expect a lot of silent vulnerabilities will be removed by this change.

--- David A. Wheeler