urllib https implementation does not verify ssl certificates
Bug #651161 reported by
dave b.
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Fix Released
|
High
|
Jelmer Vernooij | ||
bzr (Debian) |
Fix Released
|
Unknown
|
|||
bzr (Ubuntu) |
Fix Released
|
High
|
Jelmer Vernooij |
Bug Description
Because pycurl isn't a dependency only a "suggestion" it will not be installed with bzr on ubuntu.
This is bad because the https implementation is broken as per bug http://
as bzr seems not to verify the common name (etc.) --> (see http://
So your application is vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM bzr by default - as pycurl isn't a dep. Iff pycurl is installed you are not vulnerable.
Please let me know if I am wrong :)
Related branches
lp:~jelmer/bzr/urllib-verifies-ssl-certs
- Vincent Ladeuil: Needs Fixing
- Martin Packman (community): Approve
-
Diff: 441 lines (+293/-18)9 files modifiedbzrlib/config.py (+7/-0)
bzrlib/errors.py (+8/-0)
bzrlib/tests/__init__.py (+1/-0)
bzrlib/tests/test_http.py (+0/-1)
bzrlib/tests/test_https_urllib.py (+109/-0)
bzrlib/transport/__init__.py (+3/-3)
bzrlib/transport/http/_urllib2_wrappers.py (+142/-14)
doc/en/release-notes/bzr-2.5.txt (+6/-0)
doc/en/whats-new/whats-new-in-2.5.txt (+17/-0)
visibility: | private → public |
Changed in bzr: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
tags: | added: https pycurl |
Changed in bzr (Ubuntu): | |
status: | New → Confirmed |
Changed in bzr (Debian): | |
status: | Unknown → New |
Changed in bzr: | |
status: | Confirmed → In Progress |
assignee: | nobody → Jelmer Vernooij (jelmer) |
importance: | Medium → High |
summary: |
- bzr fails to verify ssl validity in https connections - by default --> - as pycurl isn't a dep only a suggestion + urllib https implementation does not verify ssl certificates |
Changed in bzr (Ubuntu): | |
assignee: | nobody → Jelmer Vernooij (jelmer) |
Changed in bzr (Debian): | |
status: | New → Confirmed |
Changed in bzr: | |
milestone: | none → 2.5b5 |
Changed in bzr (Ubuntu): | |
status: | Triaged → In Progress |
Changed in bzr: | |
milestone: | 2.5b5 → none |
Changed in bzr: | |
milestone: | none → 2.5.0 |
status: | In Progress → Fix Released |
Changed in bzr (Debian): | |
status: | Confirmed → Fix Released |
Changed in bzr: | |
milestone: | 2.5.0 → 2.5b6 |
Changed in bzr (Ubuntu): | |
status: | In Progress → Fix Released |
To post a comment you must log in.
By this logic we should
1- require pycurl on Ubuntu
2- give some kind of user warning or opt-in before using non-pycurl
https to cover other platforms
or if it is feasible, verify the CN ourselves?
What do you think, Vincent?
--
Martin