Ubuntu
python-httplib2 package

requests permitted after invalid certificate is received

Bug #1175272 reported by Kasper Dupont
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
httplib2
Unknown
Unknown
python-httplib2 (Debian)
New
Undecided
Unassigned
python-httplib2 (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned

Bug Description

After httplib2 has found a certificate to be invalid it will permit future requests on the same https connection. Future requests will be performed without validating the certificate.

The attached program attempts two requests on a single https connection. One request receives a httplib2.CertificateHostnameMismatch exception, the other receives a HTTP 200 success code.

An invalid certificate should be treated as a connection error, and future requests should attempt to establish a new https connection to the server.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: python-httplib2 0.7.2-1ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-40.64-generic 3.2.40
Uname: Linux 3.2.0-40-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu17.2
Architecture: i386
Date: Wed May 1 19:48:16 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: python-httplib2
UpgradeStatus: Upgraded to precise on 2012-05-08 (357 days ago)

Revision history for this message
Kasper Dupont (ubuntu-launchpad-feb) wrote :
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in python-httplib2 (Ubuntu Lucid):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Precise):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Quantal):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Raring):
status: New → Confirmed
Changed in python-httplib2 (Ubuntu Saucy):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2.1

---------------
python-httplib2 (0.7.2-1ubuntu2.1) precise-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:02:56 -0400

Changed in python-httplib2 (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.7-1ubuntu0.1

---------------
python-httplib2 (0.7.7-1ubuntu0.1) raring-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 09:54:11 -0400

Changed in python-httplib2 (Ubuntu Raring):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.04.2

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.04.2) lucid-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:03:40 -0400

Changed in python-httplib2 (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-httplib2 - 0.7.4-2ubuntu0.1

---------------
python-httplib2 (0.7.4-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2013 10:01:59 -0400

Changed in python-httplib2 (Ubuntu Quantal):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in python-httplib2 (Ubuntu Saucy):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.