Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532232 (CVE-2014-9365) - <dev-lang/python-2.7.9-r1: Does not validate HTTPS certificate of peer or certificate hostname (CVE-2014-9365)
Summary: <dev-lang/python-2.7.9-r1: Does not validate HTTPS certificate of peer or cer...
Status: RESOLVED FIXED
Alias: CVE-2014-9365
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mail.python.org/pipermail/pyt...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2014-7185
  Show dependency tree
 
Reported: 2014-12-11 06:35 UTC by Patrick Lauer
Modified: 2015-03-18 22:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Lauer gentoo-dev 2014-12-11 06:35:30 UTC
See URL.
Comment 1 Agostino Sarubbo gentoo-dev 2014-12-11 09:07:05 UTC
http://www.openwall.com/lists/oss-security/2014/12/11/1
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-12-11 09:11:37 UTC
Crap. We need to patch all 3.* too.
Comment 3 Dirkjan Ochtman gentoo-dev 2014-12-11 14:52:35 UTC
Or use this to expedite 3.4 stabilization?
Comment 4 Mike Gilbert gentoo-dev 2014-12-11 15:21:20 UTC
(In reply to Dirkjan Ochtman from comment #3)
> Or use this to expedite 3.4 stabilization?

That probably won't help much. We are waiting on a few dozen python packages before we can many 3.4 the default without confusing lots of people.
Comment 5 Dirkjan Ochtman gentoo-dev 2014-12-11 15:27:10 UTC
Yeah... Can we drop 3.2.x?
Comment 6 Mike Gilbert gentoo-dev 2014-12-11 15:33:35 UTC
(In reply to Dirkjan Ochtman from comment #5)
> Yeah... Can we drop 3.2.x?

Yeah, let's mask it for a bit. Would be nice to keep the ebuild in the tree in case somebody wants to test something.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-12 06:17:12 UTC
Adding vulnerability text so we do not have to jump to external site:

Title: Python standard HTTP libraries fail to validate TLS certificates for
HTTPS
Products: CPython, all 2.x versions prior to 2.7.9, 3.x versions prior to
3.4.3
Description:

When Python's standard library HTTP clients (httplib, urllib, urllib2,
xmlrpclib) are used to access resources with HTTPS, by default the
certificate
is not checked against any trust store, nor is the hostname in the
certificate
checked against the requested host. It was possible to configure a trust
root
to be checked against, however there were no faculties for hostname
checking.

This made MITM attacks against the HTTP clients trivial, and violated RFC
2818
(http://tools.ietf.org/html/rfc2818#section-3).

Python 2.7.9 has been issued to resolve this issue. It is also resolved in
3.4.3, which has not yet been released.
Comment 8 Mike Gilbert gentoo-dev 2014-12-12 16:56:09 UTC
If nobody else has done it, I will plan on adding 2.7.9 to the tree this weekend.

For the 3.4 branch, I would prefer to wait for the upstream release.

I'm not sure what is happening on the 3.3 branch; if there is no upstream release scheduled soon, we can try to backport this.
Comment 9 Mike Gilbert gentoo-dev 2014-12-14 17:15:57 UTC
dev-lang/python-2.7.9 is in the tree. Let's give it a week in ~arch before stabilizing.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-22 01:58:01 UTC
Arches, please test and mark stable:

=dev-lang/python-2.7.9

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 11 Jeroen Roovers gentoo-dev 2014-12-22 14:40:45 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-23 09:03:15 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-23 09:04:29 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-12-24 14:38:18 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-12-24 14:48:24 UTC
ppc64 stable
Comment 16 Mike Gilbert gentoo-dev 2014-12-24 19:10:00 UTC
I just revbumped the ebuild. New target is:

=dev-lang/python-2.7.9-r1

I copied the existing stable keywords.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-12-24 19:31:42 UTC
CVE-2014-9365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365):
  The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4)
  xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before
  3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against
  a trust store or verify that the server hostname matches a domain name in
  the subject's (b) Common Name or (c) subjectAltName field of the X.509
  certificate, which allows man-in-the-middle attackers to spoof SSL servers
  via an arbitrary valid certificate.
Comment 18 Agostino Sarubbo gentoo-dev 2014-12-25 11:21:23 UTC
ia64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-12-26 09:20:27 UTC
sparc stable
Comment 20 Markus Meier gentoo-dev 2014-12-30 17:58:03 UTC
arm stable
Comment 21 Tobias Klausmann gentoo-dev 2015-01-09 12:18:33 UTC
Stable on alpha.
Comment 22 Benjamin Peterson 2015-03-18 02:31:24 UTC
Python 3.4.3 has now been released, so hopefully that can be stablized, too.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2015-03-18 22:36:34 UTC
This issue was resolved and addressed in
 GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10
by GLSA coordinator Kristian Fiskerstrand (K_F).