| Summary: | python-httplib2 should use system-wide cacerts instead of bundled ones | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | adamw, makowski.mageia, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/503384/ | ||
| Whiteboard: | MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK mga2-32-OK | ||
| Source RPM: | python-httplib2-0.7.4-1.mga3.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
httplib2-use-system-certs.patch
get.py simple example from http://code.google.com/p/httplib2/wiki/Examples |
||
|
Description
David Walser
2012-06-26 00:00:45 CEST
This affects Mageia 1 and Mageia 2 as well, but I'm not sure if it's worth issuing an update for. SuSE corrected this by patching it to look at /etc/ssl/ca-bundle.pem instead of /usr/lib/python2.7/site-packages/httplib2/cacerts.txt. We don't have /etc/ssl/ca-bundle.pem, but we do have /etc/pki/tls/certs/ca-bundle.crt which looks like it might be in the right format. I'll attach their patch. CC:
(none) =>
makowski.mageia Created attachment 2495 [details]
httplib2-use-system-certs.patch
Patch from OpenSuSE: httplib2-use-system-certs.patch
Updates are in testing for MGA1 and MGA2 Thanks Philippe :o) I'll test this next time I need to upload something to the binrepo, as I did in Bug 5256, if nobody beats me to it. Advisory: ======================== python-httplib2 ships its own copy of the Mozilla NSS certificates, but it should use the system-wide ones provided by the rootcerts package instead. This has been corrected. References: http://lists.opensuse.org/opensuse-updates/2012-06/msg00029.html ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-1.mga1 python-httplib2-0.7.4-2.mga2 from SRPMS: python-httplib2-0.7.4-1.mga1.src.rpm python-httplib2-0.7.4-2.mga2.src.rpm Version:
Cauldron =>
2
David Walser
2012-07-05 22:41:23 CEST
Assignee:
bugsquad =>
qa-bugs I don't think uploading to the binrepo uses https, so we should find some way to test that. Created attachment 2538 [details] get.py simple example from http://code.google.com/p/httplib2/wiki/Examples I edited the Simple Retrieval example to fetch headers from https://mageia.org and show them. tested with 'python get.py' Is this sufficient? If so then testing complete mga1 64 adding 'print content' also prints the content.
claire robinson
2012-07-09 18:09:27 CEST
Whiteboard:
MGA1TOO =>
MGA1TOO mga1-64-OK testing complete mga2 64 Hardware:
i586 =>
All Tested using:
$ strace -o strace.out python get.py
$ grep open strace.out | grep -v "such file" | grep bundle
open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY) = 4
open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY) = 5
Shows it using system certs.
(In reply to comment #6) > Created attachment 2538 [details] > get.py simple example from http://code.google.com/p/httplib2/wiki/Examples > > I edited the Simple Retrieval example to fetch headers from https://mageia.org > and show them. > > tested with 'python get.py' > > Is this sufficient? > > If so then testing complete mga1 64 Yes, that looks like a really good test. I tried it on Mageia 1 i586 and before the update, the certificate verification actually doesn't work at all for me. I get a "certificate verify failed" error and Python exception. Installing the update fixes this for me. Also, before the update, strace shows: open("/usr/lib/python2.7/site-packages/httplib2/cacerts.txt", O_RDONLY|O_LARGEFILE) = 4 and after installing the update, strace shows: open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY|O_LARGEFILE) = 5 So this worked out really well :D Whiteboard:
MGA1TOO mga1-64-OK mga2-64-OK =>
MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK Tested successfully on Mageia 2 i586 as well. Claire, I'll let you do the final validation honors since I haven't done it in so long :o) Whiteboard:
MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK =>
MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK mga2-32-OK Thanks for testing David Validating SRPMs and advisory in comment 4 for mga1 and 2 Could sysadmin please push from core/updates_testing to core/updates Thanks Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0129 Status:
NEW =>
RESOLVED hey folks, sorry for the zombie. Using /etc/ssl/certs/ca-bundle.crt is perhaps not quite the right choice. That's not the canonical location, it's a compat symlink. See rootcerts.spec: https://svnweb.mageia.org/packages/cauldron/rootcerts/current/SPECS/rootcerts.spec?view=markup # be compatible with Debian/Ubuntu SSL paths # fix #58107 (also used by dovecot default config) install -d %{buildroot}%{_sysconfdir}/ssl for d in certs private; do ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/ done the most correct location would, I believe, be /etc/pki/tls/certs/ca-bundle.crt (same as Fedora/RHEL's canonical location). Sharp-eyed readers may note Fedora's patch uses the same slightly not-the-best location, I'll fix that one :P CC:
(none) =>
adamw also note that (again for both Mageia and Fedora) the Python 3 code needs patching as well, no-one seems to be doing that. here's the updated patch I sent to Fedora today: http://pkgs.fedoraproject.org/cgit/python-httplib2.git/tree/python-httplib2.certfile.patch Thanks Adam! Nice to see you, and thanks for the heads up. I've updated our patch in Cauldron. |