requests permitted after invalid certificate is received
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
httplib2 |
Unknown
|
Unknown
|
|||
python-httplib2 (Debian) |
New
|
Undecided
|
Unassigned | ||
python-httplib2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned | ||
Saucy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
After httplib2 has found a certificate to be invalid it will permit future requests on the same https connection. Future requests will be performed without validating the certificate.
The attached program attempts two requests on a single https connection. One request receives a httplib2.
An invalid certificate should be treated as a connection error, and future requests should attempt to establish a new https connection to the server.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-httplib2 0.7.2-1ubuntu2
ProcVersionSign
Uname: Linux 3.2.0-40-generic i686
NonfreeKernelMo
ApportVersion: 2.0.1-0ubuntu17.2
Architecture: i386
Date: Wed May 1 19:48:16 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
MarkForUpload: True
PackageArchitec
SourcePackage: python-httplib2
UpgradeStatus: Upgraded to precise on 2012-05-08 (357 days ago)
information type: | Private Security → Public Security |
Changed in python-httplib2 (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in python-httplib2 (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in python-httplib2 (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in python-httplib2 (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in python-httplib2 (Ubuntu Saucy): | |
status: | New → Confirmed |
Changed in python-httplib2 (Ubuntu Saucy): | |
status: | Confirmed → Fix Released |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2.1
---------------
python-httplib2 (0.7.2-1ubuntu2.1) precise-security; urgency=low
* SECURITY UPDATE: Incorrect SSL certificate checking with multiple patches/ CVE-2013- 2037.patch: close connection on cert mismatch httplib2/ __init_ _.py.
requests (LP: #1175272)
- debian/
in python2/
- CVE-2013-2037
-- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:02:56 -0400