python-httplib2 < 0.7.0 doesn't validate server certificates
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | python-httplib2 (Ubuntu) |
High
|
Unassigned | ||
| | Lucid |
High
|
Unassigned | ||
| | Maverick |
High
|
Unassigned | ||
| | Natty |
High
|
Unassigned | ||
| | Oneiric |
High
|
Unassigned | ||
| | Precise |
High
|
Unassigned | ||
Bug Description
python-httplib2 added support for checking https certificates in 0.7.0. The packages currently in Natty and older don't perform any certificate validation, permitting man in the middle attacks on any software that uses the library and doesn't perform checks of it's own.
| Changed in python-httplib2 (Ubuntu): | |
| status: | New → Confirmed |
| Marc Deslauriers (mdeslaur) wrote : | #1 |
| Marc Deslauriers (mdeslaur) wrote : | #2 |
SRU team: this isn't an SRU, it's a security update that we've put in -proposed to get more testing. Please let the security team handle this. Thanks.
| Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
- debian/control: adjust to work with older dependencies.
- debian/
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 14:07:20 -0500
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
- debian/control: adjust to work with older dependencies.
- debian/
version in maverick.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 15:32:42 -0500
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:56:37 -0500
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~
---------------
python-httplib2 (0.7.2-
* SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
- Backport 0.7.2 as a security update to get proper SSL certificate
validation support and prevent MITM attacks.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:54:02 -0500
For Oneiric, see bug 882027: it doesn't use the system CA certs by default.