From ${URL} : httplib2 only validates SSL certificates on the first request to a connection, and doesn't report validation failures on subsequent requests. Bugs: http://code.google.com/p/httplib2/issues/detail?id=282 https://bugs.launchpad.net/httplib2/+bug/1175272 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
CVE-2013-2037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2037): httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Upstream now lives on GitHub. The relevant issue was imported, here: https://github.com/jcgregorio/httplib2/issues/243
(In reply to Dirkjan Ochtman from comment #2) > Upstream now lives on GitHub. The relevant issue was imported, here: > > https://github.com/jcgregorio/httplib2/issues/243 Dirkjan, looks like you proposed a patch upstream at: https://github.com/httplib2/httplib2/issues/5 Do you intend to apply this in tree to fix the issue?
I don't really feel comfortable judging this patch. Personally, I feel every rdep should be moving away from httplib2, as it has been so badly maintained.
Ping. What's the status? Can we please either apply the patch from Fedora http://pkgs.fedoraproject.org/cgit/rpms/python-httplib2.git/tree/python-httplib2-0.9-cve-2013-2037.patch (looks like the proposed patch from Dirkjan) or start the removal process?
Please go ahead with stabilization. commit ae0c052e47bbfbbf35afaddcd2e828513c5f5acd Author: Mike Gilbert <floppym@gentoo.org> Date: Sat Nov 19 13:42:36 2016 -0500 dev-python/httplib2: apply patch for CVE-2013-2037 Bug: https://bugs.gentoo.org/468252 Package-Manager: portage-2.3.2_p8 .../files/python-httplib2-0.9-cve-2013-2037.patch | 21 +++++++++++++++++++++ ...ib2-0.9.2-r1.ebuild => httplib2-0.9.2-r2.ebuild} | 12 ++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-)
Thanks for the bump! @ Arches, please stabilize =dev-python/httplib2-0.9.2-r2 Stable target(s): alpha amd64 arm ia64 ppc ppc64 sparc x86
amd64 stable
x86 stable
Stable on alpha.
arm stable
sparc stable
ppc stable
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
https://github.com/gentoo/gentoo/pull/3618
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5a2b1033da878bbeac7981180d21d5e17bb6445 commit e5a2b1033da878bbeac7981180d21d5e17bb6445 Author: Aaron Bauman <bman@gentoo.org> Date: Tue Jan 24 16:51:00 2017 +0900 dev-python/httplib2: drop vulnerable wrt bug #468252 dev-python/httplib2/Manifest | 1 - dev-python/httplib2/httplib2-0.9.1.ebuild | 33 ------------------------------- 2 files changed, 34 deletions(-)
GLSA Vote: No Repository is clean.