532232 – (CVE-2014-9365) <dev-lang/python-2.7.9-r1: Does not validate HTTPS certificate of peer or certificate hostname (CVE-2014-9365)

Bug 532232 (CVE-2014-9365) - <dev-lang/python-2.7.9-r1: Does not validate HTTPS certificate of peer or certificate hostname (CVE-2014-9365)

Summary: <dev-lang/python-2.7.9-r1: Does not validate HTTPS certificate of peer or cer...

Status:	RESOLVED FIXED

Alias:	CVE-2014-9365

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://mail.python.org/pipermail/pyt...
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:	CVE-2014-7185
	Show dependency tree

Reported:	2014-12-11 06:35 UTC by Patrick Lauer
Modified:	2015-03-18 22:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Lauer gentoo-dev

2014-12-11 06:35:30 UTC

See URL.

Comment 1 Agostino Sarubbo gentoo-dev

2014-12-11 09:07:05 UTC

http://www.openwall.com/lists/oss-security/2014/12/11/1

Comment 2 Michał Górny archtester

2014-12-11 09:11:37 UTC

Crap. We need to patch all 3.* too.

Comment 3 Dirkjan Ochtman (RETIRED) gentoo-dev

2014-12-11 14:52:35 UTC

Or use this to expedite 3.4 stabilization?

Comment 4 Mike Gilbert gentoo-dev

2014-12-11 15:21:20 UTC

(In reply to Dirkjan Ochtman from comment #3)
> Or use this to expedite 3.4 stabilization?

That probably won't help much. We are waiting on a few dozen python packages before we can many 3.4 the default without confusing lots of people.

Comment 5 Dirkjan Ochtman (RETIRED) gentoo-dev

2014-12-11 15:27:10 UTC

Yeah... Can we drop 3.2.x?

Comment 6 Mike Gilbert gentoo-dev

2014-12-11 15:33:35 UTC

(In reply to Dirkjan Ochtman from comment #5)
> Yeah... Can we drop 3.2.x?

Yeah, let's mask it for a bit. Would be nice to keep the ebuild in the tree in case somebody wants to test something.

Comment 7 Yury German Gentoo Infrastructure

2014-12-12 06:17:12 UTC

Adding vulnerability text so we do not have to jump to external site:

Title: Python standard HTTP libraries fail to validate TLS certificates for
HTTPS
Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to
3.4.3
Description:

When Python's standard library HTTP clients (httplib, urllib, urllib2,
xmlrpclib) are used to access resources with HTTPS, by default the
certificate
is not checked against any trust store, nor is the hostname in the
certificate
checked against the requested host. It was possible to configure a trust
root
to be checked against, however there were no faculties for hostname
checking.

This made MITM attacks against the HTTP clients trivial, and violated RFC
2818
(http://tools.ietf.org/html/rfc2818#section-3).

Python 2.7.9 has been issued to resolve this issue. It is also resolved in
3.4.3, which has not yet been released.

Comment 8 Mike Gilbert gentoo-dev

2014-12-12 16:56:09 UTC

If nobody else has done it, I will plan on adding 2.7.9 to the tree this weekend.

For the 3.4 branch, I would prefer to wait for the upstream release.

I'm not sure what is happening on the 3.3 branch; if there is no upstream release scheduled soon, we can try to backport this.

Comment 9 Mike Gilbert gentoo-dev

2014-12-14 17:15:57 UTC

dev-lang/python-2.7.9 is in the tree. Let's give it a week in ~arch before stabilizing.

Comment 10 Yury German Gentoo Infrastructure

2014-12-22 01:58:01 UTC

Arches, please test and mark stable:

=dev-lang/python-2.7.9

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2014-12-22 14:40:45 UTC

Stable for HPPA.

Comment 12 Agostino Sarubbo gentoo-dev

2014-12-23 09:03:15 UTC

amd64 stable

Comment 13 Agostino Sarubbo gentoo-dev

2014-12-23 09:04:29 UTC

x86 stable

Comment 14 Agostino Sarubbo gentoo-dev

2014-12-24 14:38:18 UTC

ppc stable

Comment 15 Agostino Sarubbo gentoo-dev

2014-12-24 14:48:24 UTC

ppc64 stable

Comment 16 Mike Gilbert gentoo-dev

2014-12-24 19:10:00 UTC

I just revbumped the ebuild. New target is:

=dev-lang/python-2.7.9-r1

I copied the existing stable keywords.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2014-12-24 19:31:42 UTC

CVE-2014-9365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365):
  The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4)
  xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before
  3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against
  a trust store or verify that the server hostname matches a domain name in
  the subject's (b) Common Name or (c) subjectAltName field of the X.509
  certificate, which allows man-in-the-middle attackers to spoof SSL servers
  via an arbitrary valid certificate.

Comment 18 Agostino Sarubbo gentoo-dev

2014-12-25 11:21:23 UTC

ia64 stable

Comment 19 Agostino Sarubbo gentoo-dev

2014-12-26 09:20:27 UTC

sparc stable

Comment 20 Markus Meier gentoo-dev

2014-12-30 17:58:03 UTC

arm stable

Comment 21 Tobias Klausmann (RETIRED) gentoo-dev

2015-01-09 12:18:33 UTC

Stable on alpha.

Comment 22 Benjamin Peterson 2015-03-18 02:31:24 UTC

Python 3.4.3 has now been released, so hopefully that can be stablized, too.

Comment 23 GLSAMaker/CVETool Bot gentoo-dev

2015-03-18 22:36:34 UTC

This issue was resolved and addressed in
 GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10
by GLSA coordinator Kristian Fiskerstrand (K_F).