| Summary: | python-httplib2 new security issue CVE-2013-2037 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | makowski.mageia, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/550453/ | ||
| Whiteboard: | MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok | ||
| Source RPM: | python-httplib2-0.7.7-2.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-05-10 18:54:39 CEST
Patched packages uploaded for Mageia 2 and Cauldron. Patch added in Mageia 1 SVN. Advisory: ======================== Updated python-httplib2 packages fix security vulnerability: httplib2 only validates SSL certificates on the first request to a connection, and doesn't report validation failures on subsequent requests (CVE-2013-2037). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2037 http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-3.mga2 python3-httplib2-0.7.4-3.mga2 from python-httplib2-0.7.4-3.mga2.src.rpm Version:
Cauldron =>
2
David Walser
2013-05-13 20:23:03 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/550453/ Possible problem with python3 but I'm fumbling in the dark a bit.
Testing using this saved as p3get.py
import httplib2
h = httplib2.Http('.cache')
response, content = h.request('http://mageia.org', 'GET')
print (dict(response.items()))
run as..
$ python3 p3get.py
{'status': '200', 'content-location': 'http://www.mageia.org/en/', 'x-powered-by': 'PHP/5.3.18', 'transfer-encoding': 'chunked', 'server': 'Apache/2.2.23 (Mageia/PREFORK-1.mga1)', 'date': 'Wed, 22 May 2013 18:11:37 GMT', 'content-type': 'text/html'}
It works ok with http but with https..
$ python3 p3get.py
Traceback (most recent call last):
File "p3get.py", line 3, in <module>
response, content = h.request('https://mageia.org', 'GET')
File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 1061, in request
self.disable_ssl_certificate_validation)
File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 774, in __init__
context.load_verify_locations(ca_certs)
IOError: [Errno 2] No such file or directory
The regular python-httplib2 works well with the script from the procedure in comment 2 so this is failing only with python3 and only https.
I found this http://code.google.com/p/httplib2/issues/detail?id=173 and added
h.disable_ssl_certificate_validation=True
$ python3 p3get.py
Traceback (most recent call last):
File "p3get.py", line 4, in <module>
response, content = h.request('https://mageia.org', 'GET')
File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 1061, in request
self.disable_ssl_certificate_validation)
File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 777, in __init__
check_hostname=True)
File "/usr/lib/python3.2/http/client.py", line 1089, in __init__
raise ValueError("check_hostname needs a SSL context with "
ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED
Seems the same problem mentioned there, with a potential fix.
claire robinson
2013-05-23 09:50:16 CEST
Whiteboard:
has_procedure =>
has_procedure feedback ok I see what the problem is thanks Status:
NEW =>
ASSIGNED Sorry for the problem, it should be ok now Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-4.mga2 python3-httplib2-0.7.4-4.mga2 python-httplib2-0.7.7-4.mga3 python3-httplib2-0.7.7-4.mga3
claire robinson
2013-05-24 09:52:30 CEST
Version:
2 =>
3 Thanks Philippe
Converted the bug for the extra updates for mga3.
Testing complete mga2 32 using the scripts below..
$ cat get.py
import httplib2
h = httplib2.Http(".cache")
resp, content = h.request("https://mageia.org/", "GET")
print resp
print content
Run with 'python get.py'
$ cat p3get.py
import httplib2
h = httplib2.Http('.cache')
response, content = h.request('https://mageia.org', 'GET')
print (dict(response.items()))
Run with 'python3 p3get.py'Whiteboard:
MGA2TOO has_procedure feedback =>
MGA2TOO has_procedure mga2-32-ok Testing complete mga2 64 and mga3 32 & 64 Validating SRPMs: python-httplib2-0.7.4-4.mga2.src.rpm python-httplib2-0.7.7-4.mga3.src.rpm Advisory in comment 1 Could sysadmin please push from core/updates_testing to core/updates for mga2 & 3 Thanks! Keywords:
(none) =>
validated_update (In reply to claire robinson from comment #9) > Testing complete mga2 64 and mga3 32 & 64 > > Validating > > SRPMs: > python-httplib2-0.7.4-4.mga2.src.rpm > python-httplib2-0.7.7-4.mga3.src.rpm > > Advisory in comment 1 Not quite, that advisory was only for the Mageia 2 update, which fixed a security issue that was already fixed upstream in the Cauldron version. We'll need an addendum to the advisory for the bugfix, which will also server as a MGAA bugfix advisory for the Mageia 3 update. Philippe could you add the necessary advisory please. The newest python3 fix is re-fixing Bug 6568 for the python3 httplib2 package. Philippe, it probably doesn't need to be corrected in updates immediately, as most systems probably already have rootcerts installed, but both of these packages should Requires: rootcerts. Advisory (Mageia 2): ======================== Updated python-httplib2 packages fix security vulnerability: httplib2 only validates SSL certificates on the first request to a connection, and doesn't report validation failures on subsequent requests (CVE-2013-2037). Additionally, the python3-httplib2 package has been fixed so that it will use the system-wide Mozilla CA certificates from the rootcerts package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2037 http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-4.mga2 python3-httplib2-0.7.4-4.mga2 from python-httplib2-0.7.4-4.mga2.src.rpm Advisory (Mageia 3): ======================== The python3-httplib2 package has been fixed so that it will use the system-wide Mozilla CA certificates from the rootcerts package. ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.7-4.mga3 python3-httplib2-0.7.7-4.mga3 from python-httplib2-0.7.7-4.mga3.src.rpm Mageia 2 update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0152 Mageia 3 update pushed: https://wiki.mageia.org/en/Support/Advisories/MGAA-2013-0025 Status:
ASSIGNED =>
RESOLVED |