Ubuntu
libcloud package

this python project is vulnerable to MITM as it fails to verify the ssl validity of the remote destination.

Bug #675217 reported by dave b. on 2010-11-14

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libcloud (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

as per my original bug report in libcloud, https://issues.apache.org/jira/browse/LIBCLOUD-55

this python project is vulnerable to MITM as it fails to verify the ssl validity of the remote destination.
urllib / urllib2, httplib.SHTTPConnection do not verify ssl at all by default.
from base.py
class ConnectionKey(object):
""" A Base Connection class to derive from.
""" conn_classes = (httplib.HTTPConnection, httplib.HTTPSConnection)

.... def connect(self, host=None, port=None):
..... connection = self.conn_classesself.secure

this request can be MITMed leading to the compromise of a users API key - where a secured https connection was requested, but can be MITM'ed.

dave b. (d+b) on 2010-11-14

visibility:

private → public

Marc Deslauriers (mdeslaur) on 2010-11-22

Changed in libcloud (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Soren Hansen (soren) wrote on 2011-06-14:

This is fixed with the recent upload of 0.5.0 to Oneiric.

Changed in libcloud (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulibcloud package

this python project is vulnerable to MITM as it fails to verify the ssl validity of the remote destination.

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
libcloud package