[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: Python, standard library HTTP clients
From: "David A. Wheeler" <dwheeler () dwheeler ! com>
Date: 2014-12-11 2:57:09
Message-ID: E1XytwD-0004Je-Oj () rmm6prod02 ! runbox ! com
[Download RAW message or body]
On Thu, 11 Dec 2014 02:26:50 +0000, Alex Gaynor <alex.gaynor@gmail.com> wrote:
> I'm request a CVE for CPython (sometimes Python), for failure to validate
> certificates in the HTTP client with TLS.
>
> Title: Python standard HTTP libraries fail to validate TLS certificates for HTTPS
> Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to 3.4.3
> Description:
>
> When Python's standard library HTTP clients (httplib, urllib, urllib2,
> xmlrpclib) are used to access resources with HTTPS, by default the certificate
> is not checked against any trust store, nor is the hostname in the certificate
> checked against the requested host. It was possible to configure a trust
> root to be checked against, however there were no faculties for hostname
> checking.
...
> Python 2.7.9 has been issued to resolve this issue. It is also resolved in
> 3.4.3, which has not yet been released.
Awesome!! I am *DELIGHTED* that this serious problem is finally getting fixed.
Thank you for your effort! For those curious about this,
more information about this is in PEP 0476:
http://legacy.python.org/dev/peps/pep-0476/
and these articles:
https://lwn.net/Articles/582065/
https://lwn.net/Articles/611243/
This has been the underlying cause of numerous CVEs going back to at least 2010, e.g.:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4340
but the CVEs have always been assigned (to my knowledge) to the applications
using Python, and never the library that didn't provide the functionality that developers
often expected. I expect a lot of silent vulnerabilities will be removed by this change.
--- David A. Wheeler
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic