Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1XytwD-0004Je-Oj@rmm6prod02.runbox.com>
Date: Wed, 10 Dec 2014 21:57:09 -0500 (EST)
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: Re: CVE request: Python, standard library HTTP clients

On Thu, 11 Dec 2014 02:26:50 +0000, Alex Gaynor <alex.gaynor@...il.com> wrote:
> I'm request a CVE for CPython (sometimes Python), for failure to validate
> certificates in the HTTP client with TLS.
> 
> Title: Python standard HTTP libraries fail to validate TLS certificates for HTTPS
> Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to 3.4.3
> Description:
> 
> When Python's standard library HTTP clients (httplib, urllib, urllib2,
> xmlrpclib) are used to access resources with HTTPS, by default the certificate
> is not checked against any trust store, nor is the hostname in the certificate
> checked against the requested host. It was possible to configure a trust
> root to be checked against, however there were no faculties for hostname
> checking.
...
> Python 2.7.9 has been issued to resolve this issue. It is also resolved in
> 3.4.3, which has not yet been released.

Awesome!! I am *DELIGHTED* that this serious problem is finally getting fixed.
Thank you for your effort!  For those curious about this,
more information about this is in PEP 0476:
  http://legacy.python.org/dev/peps/pep-0476/
and these articles:
  https://lwn.net/Articles/582065/
  https://lwn.net/Articles/611243/

This has been the underlying cause of numerous CVEs going back to at least 2010, e.g.:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4340
but the CVEs have always been assigned (to my knowledge) to the applications
using Python, and never the library that didn't provide the functionality that developers
often expected.  I expect a lot of silent vulnerabilities will be removed by this change.

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.