Ubuntu

python-httplib2 < 0.7.0 doesn't validate server certificates

Reported by Marc Deslauriers on 2011-10-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-httplib2 (Ubuntu)
High
Unassigned
Lucid
High
Unassigned
Maverick
High
Unassigned
Natty
High
Unassigned
Oneiric
High
Unassigned
Precise
High
Unassigned

Bug Description

python-httplib2 added support for checking https certificates in 0.7.0. The packages currently in Natty and older don't perform any certificate validation, permitting man in the middle attacks on any software that uses the library and doesn't perform checks of it's own.

Changed in python-httplib2 (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

For Oneiric, see bug 882027: it doesn't use the system CA certs by default.

visibility: private → public
Changed in python-httplib2 (Ubuntu Lucid):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Maverick):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Oneiric):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Natty):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Lucid):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Maverick):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Natty):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Oneiric):
importance: Undecided → High
Changed in python-httplib2 (Ubuntu Precise):
importance: Undecided → High
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

SRU team: this isn't an SRU, it's a security update that we've put in -proposed to get more testing. Please let the security team handle this. Thanks.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.04.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
    - debian/control: adjust to work with older dependencies.
    - debian/{control,rules}: get rid of python3 package.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 14:07:20 -0500

Changed in python-httplib2 (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.10.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
    - debian/control: adjust to work with older dependencies.
    - debian/patches/python31-compat.patch: fix compatibility with python3
      version in maverick.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 15:32:42 -0500

Changed in python-httplib2 (Ubuntu Maverick):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.11.04.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:56:37 -0500

Changed in python-httplib2 (Ubuntu Natty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.11.10.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
 -- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:54:02 -0500

Changed in python-httplib2 (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers