requests permitted after invalid certificate is received

Reported by Kasper Dupont on 2013-05-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
httplib2
Unknown
Unknown
python-httplib2 (Debian)
New
Undecided
Unassigned
python-httplib2 (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned

Bug Description

After httplib2 has found a certificate to be invalid it will permit future requests on the same https connection. Future requests will be performed without validating the certificate.

The attached program attempts two requests on a single https connection. One request receives a httplib2.CertificateHostnameMismatch exception, the other receives a HTTP 200 success code.

An invalid certificate should be treated as a connection error, and future requests should attempt to establish a new https connection to the server.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-httplib2 0.7.2-1ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-40.64-generic 3.2.40
Uname: Linux 3.2.0-40-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu17.2
Architecture: i386
Date: Wed May 1 19:48:16 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: python-httplib2
UpgradeStatus: Upgraded to precise on 2012-05-08 (357 days ago)

information type: Private Security → Public Security
Changed in python-httplib2 (Ubuntu Lucid):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Precise):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Quantal):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Raring):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Saucy):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2.1

---------------
python-httplib2 (0.7.2-1ubuntu2.1) precise-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:02:56 -0400

Changed in python-httplib2 (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.7-1ubuntu0.1

---------------
python-httplib2 (0.7.7-1ubuntu0.1) raring-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 09:54:11 -0400

Changed in python-httplib2 (Ubuntu Raring):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.04.2

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.04.2) lucid-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:03:40 -0400

Changed in python-httplib2 (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.4-2ubuntu0.1

---------------
python-httplib2 (0.7.4-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:01:59 -0400

Changed in python-httplib2 (Ubuntu Quantal):
status: Confirmed → Fix Released
Changed in python-httplib2 (Ubuntu Saucy):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.