Summary: | <dev-python/httplib2-0.9.2-r2: ssl cert incorrect error handling (CVE-2013-2037) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/05/01/5 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: |
=dev-python/httplib2-0.9.2-r2
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-05-02 07:58:15 UTC
CVE-2013-2037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2037): httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Upstream now lives on GitHub. The relevant issue was imported, here: https://github.com/jcgregorio/httplib2/issues/243 (In reply to Dirkjan Ochtman from comment #2) > Upstream now lives on GitHub. The relevant issue was imported, here: > > https://github.com/jcgregorio/httplib2/issues/243 Dirkjan, looks like you proposed a patch upstream at: https://github.com/httplib2/httplib2/issues/5 Do you intend to apply this in tree to fix the issue? I don't really feel comfortable judging this patch. Personally, I feel every rdep should be moving away from httplib2, as it has been so badly maintained. Ping. What's the status? Can we please either apply the patch from Fedora http://pkgs.fedoraproject.org/cgit/rpms/python-httplib2.git/tree/python-httplib2-0.9-cve-2013-2037.patch (looks like the proposed patch from Dirkjan) or start the removal process? Please go ahead with stabilization. commit ae0c052e47bbfbbf35afaddcd2e828513c5f5acd Author: Mike Gilbert <floppym@gentoo.org> Date: Sat Nov 19 13:42:36 2016 -0500 dev-python/httplib2: apply patch for CVE-2013-2037 Bug: https://bugs.gentoo.org/468252 Package-Manager: portage-2.3.2_p8 .../files/python-httplib2-0.9-cve-2013-2037.patch | 21 +++++++++++++++++++++ ...ib2-0.9.2-r1.ebuild => httplib2-0.9.2-r2.ebuild} | 12 ++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) Thanks for the bump! @ Arches, please stabilize =dev-python/httplib2-0.9.2-r2 Stable target(s): alpha amd64 arm ia64 ppc ppc64 sparc x86 amd64 stable x86 stable Stable on alpha. arm stable sparc stable ppc stable ia64 stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5a2b1033da878bbeac7981180d21d5e17bb6445 commit e5a2b1033da878bbeac7981180d21d5e17bb6445 Author: Aaron Bauman <bman@gentoo.org> Date: Tue Jan 24 16:51:00 2017 +0900 dev-python/httplib2: drop vulnerable wrt bug #468252 dev-python/httplib2/Manifest | 1 - dev-python/httplib2/httplib2-0.9.1.ebuild | 33 ------------------------------- 2 files changed, 34 deletions(-) GLSA Vote: No Repository is clean. |