Bug #1175272 “requests permitted after invalid certificate is re...” : Bugs : httplib2

Bug Description

After httplib2 has found a certificate to be invalid it will permit future requests on the same https connection. Future requests will be performed without validating the certificate.

The attached program attempts two requests on a single https connection. One request receives a httplib2.CertificateHostnameMismatch exception, the other receives a HTTP 200 success code.

An invalid certificate should be treated as a connection error, and future requests should attempt to establish a new https connection to the server.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-httplib2 0.7.2-1ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-40.64-generic 3.2.40
Uname: Linux 3.2.0-40-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu17.2
Architecture: i386
Date: Wed May 1 19:48:16 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: python-httplib2
UpgradeStatus: Upgraded to precise on 2012-05-08 (357 days ago)

Tags: Edit Tag help

Related branches

lp:ubuntu/lucid-security/python-httplib2

lp:ubuntu/precise-security/python-httplib2

lp:ubuntu/quantal-security/python-httplib2

lp:ubuntu/raring-security/python-httplib2

Kasper Dupont (ubuntu-launchpad-feb) wrote on 2013-05-01:

Program demonstrating the bug Edit (265 bytes, text/x-python)
Dependencies.txt Edit (855 bytes, text/plain; charset="utf-8")
ProcEnviron.txt Edit (297 bytes, text/plain; charset="utf-8")

Marc Deslauriers (mdeslaur) on 2013-05-01

information type:

Private Security → Public Security

Marc Deslauriers (mdeslaur) on 2013-05-01

Changed in python-httplib2 (Ubuntu Lucid):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Precise):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Quantal):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Raring):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Saucy):
status:	New → Confirmed

Launchpad Janitor (janitor) wrote on 2013-09-09:

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2.1

---------------
python-httplib2 (0.7.2-1ubuntu2.1) precise-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
-- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:02:56 -0400

Changed in python-httplib2 (Ubuntu Precise):
status:	Confirmed → Fix Released

Launchpad Janitor (janitor) wrote on 2013-09-09:

This bug was fixed in the package python-httplib2 - 0.7.7-1ubuntu0.1

---------------
python-httplib2 (0.7.7-1ubuntu0.1) raring-security; urgency=low

Changed in python-httplib2 (Ubuntu Raring):
status:	Confirmed → Fix Released

Launchpad Janitor (janitor) wrote on 2013-09-09:

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.04.2

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.04.2) lucid-security; urgency=low

Changed in python-httplib2 (Ubuntu Lucid):
status:	Confirmed → Fix Released

Launchpad Janitor (janitor) wrote on 2013-09-09:

This bug was fixed in the package python-httplib2 - 0.7.4-2ubuntu0.1

---------------
python-httplib2 (0.7.4-2ubuntu0.1) quantal-security; urgency=low

Changed in python-httplib2 (Ubuntu Quantal):
status:	Confirmed → Fix Released

Marc Deslauriers (mdeslaur) on 2013-09-09

Changed in python-httplib2 (Ubuntu Saucy):
status:	Confirmed → Fix Released

httplib2

requests permitted after invalid certificate is received

Bug Description

Related branches

Other bug subscribers

Bug attachments

Remote bug watches