python-httplib2 < 0.7.0 doesn't validate server certificates
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | python-httplib2 (Ubuntu) |
High
|
Unassigned | ||
| | Lucid |
High
|
Unassigned | ||
| | Maverick |
High
|
Unassigned | ||
| | Natty |
High
|
Unassigned | ||
| | Oneiric |
High
|
Unassigned | ||
| | Precise |
High
|
Unassigned | ||
Bug Description
python-httplib2 added support for checking https certificates in 0.7.0. The packages currently in Natty and older don't perform any certificate validation, permitting man in the middle attacks on any software that uses the library and doesn't perform checks of it's own.
| Changed in python-httplib2 (Ubuntu): | |
| status: | New → Confirmed |
| Marc Deslauriers (mdeslaur) wrote : | #1 |
| visibility: | private → public |
| Changed in python-httplib2 (Ubuntu Lucid): | |
| status: | New → Confirmed |
| Changed in python-httplib2 (Ubuntu Maverick): | |
| status: | New → Confirmed |
| Changed in python-httplib2 (Ubuntu Oneiric): | |
| status: | New → Confirmed |
| Changed in python-httplib2 (Ubuntu Natty): | |
| status: | New → Confirmed |
| Changed in python-httplib2 (Ubuntu Lucid): | |
| importance: | Undecided → High |
| Changed in python-httplib2 (Ubuntu Maverick): | |
| importance: | Undecided → High |
| Changed in python-httplib2 (Ubuntu Natty): | |
| importance: | Undecided → High |
| Changed in python-httplib2 (Ubuntu Oneiric): | |
| importance: | Undecided → High |
| Changed in python-httplib2 (Ubuntu Precise): | |
| importance: | Undecided → High |
| status: | Confirmed → Fix Released |
| Marc Deslauriers (mdeslaur) wrote : | #2 |
SRU team: this isn't an SRU, it's a security update that we've put in -proposed to get more testing. Please let the security team handle this. Thanks.
| Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
- debian/control: adjust to work with older dependencies.
- debian/
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 14:07:20 -0500
| Changed in python-httplib2 (Ubuntu Lucid): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
- debian/control: adjust to work with older dependencies.
- debian/
version in maverick.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 15:32:42 -0500
| Changed in python-httplib2 (Ubuntu Maverick): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:56:37 -0500
| Changed in python-httplib2 (Ubuntu Natty): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:54:02 -0500
| Changed in python-httplib2 (Ubuntu Oneiric): | |
| status: | Confirmed → Fix Released |
For Oneiric, see bug 882027: it doesn't use the system CA certs by default.