python-httplib2 < 0.7.0 doesn't validate server certificates

Bug #882030 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-httplib2 (Ubuntu)
Fix Released
High
Unassigned
Lucid
Fix Released
High
Unassigned
Maverick
Fix Released
High
Unassigned
Natty
Fix Released
High
Unassigned
Oneiric
Fix Released
High
Unassigned
Precise
Fix Released
High
Unassigned

Bug Description

python-httplib2 added support for checking https certificates in 0.7.0. The packages currently in Natty and older don't perform any certificate validation, permitting man in the middle attacks on any software that uses the library and doesn't perform checks of it's own.

Changed in python-httplib2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

For Oneiric, see bug 882027: it doesn't use the system CA certs by default.

visibility: private → public
Changed in python-httplib2 (Ubuntu Lucid):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Maverick):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Oneiric):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Natty):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Lucid):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Maverick):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Natty):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Oneiric):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Precise):
importance: Undecided → High
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

SRU team: this isn't an SRU, it's a security update that we've put in -proposed to get more testing. Please let the security team handle this. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.04.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
    - debian/control: adjust to work with older dependencies.
    - debian/{control,rules}: get rid of python3 package.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 14:07:20 -0500

Changed in python-httplib2 (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.10.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
    - debian/control: adjust to work with older dependencies.
    - debian/patches/python31-compat.patch: fix compatibility with python3
      version in maverick.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 15:32:42 -0500

Changed in python-httplib2 (Ubuntu Maverick):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.11.04.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:56:37 -0500

Changed in python-httplib2 (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.11.10.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:54:02 -0500

Changed in python-httplib2 (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.