Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <54F88D1E.1070200@oracle.com>
Date: Thu, 05 Mar 2015 17:06:38 +0000
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not
 checking hostnames in certs properly CVE-2015-1777

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/03/15 18:37, Kurt Seifried wrote:
> On 04/03/15 11:14 AM, Donald Stufft wrote:
>> > 
>>> >> On Mar 4, 2015, at 12:55 PM, Kurt Seifried <kseifried@...hat.com> wrote:
>>> >>
>>> >> https://bugzilla.redhat.com/show_bug.cgi?id=1198740
>>> >>
>>> >> Jan Bee of the Google Security Team reports:
>>> >>
>>> >> The /usr/sbin/rhnreg_ks fails to properly validate hostnames in
>>> >> certificates. This can result in man in the middle attacks.
>>> >>
>>> >> ===
>>> >>
>>> >> Please note that this issue cannot easily be exploited to cause any
>>> >> significant damage to a system other then preventing registration from
>>> >> taking place properly which the attacker would be able to do in any
>>> >> event if the can man in the middle the connection.
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Kurt Seifried -- Red Hat -- Product Security -- Cloud
>>> >> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>> >>
>> > 
>> > Note: Python 2.7.9+ and 3.4.3+ will cause most apps like this to
>> > automatically start validating hostnames. It may be easier to backport
>> > those changes than to find every Python app that doesn’t check hostnames.
> Yup, I am aware of that, but as you know Red Hat is pretty conservative
> on updates to things like Python/etc because we have to support customer
> applications that we have never seen and will never see (e.g. internal
> corp software), and if we break those apps due to changes in underlying
> languages there is a big problem.
> 


PEP 476 cites 11 CVEs that resulted from python not properly validating
certificates.   This would be number 12.

Shouldn't python versions prior to 2.7.9 and 3.4.3 have a CVE each for
the lack of verification? If internal corporate software stops working
because of invalid certificates, wasn't it broken anyway?

jch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iF4EAREIAAYFAlT4jREACgkQRQu7fpQvo8gQ6wD/Spvj6v0XdrQ2dOG5/r63gpSb
0v0XXopM3J9M0IhBCAQA/02UcObkNkXxM4zj43TWdOeJEuabuBHl9rHubmBDo/9/
=NJa4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.