OpenSuSE has issued an advisory today (May 10): http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html The fix is attached to the upstream bug: http://code.google.com/p/httplib2/issues/detail?id=282 It is currently checked into Mageia 2 and Cauldron SVN. Freeze push for Cauldron requested. Reproducible: Steps to Reproduce:
Patched packages uploaded for Mageia 2 and Cauldron. Patch added in Mageia 1 SVN. Advisory: ======================== Updated python-httplib2 packages fix security vulnerability: httplib2 only validates SSL certificates on the first request to a connection, and doesn't report validation failures on subsequent requests (CVE-2013-2037). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2037 http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-3.mga2 python3-httplib2-0.7.4-3.mga2 from python-httplib2-0.7.4-3.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/550453/
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6568#c6
Whiteboard: (none) => has_procedure
Possible problem with python3 but I'm fumbling in the dark a bit. Testing using this saved as p3get.py import httplib2 h = httplib2.Http('.cache') response, content = h.request('http://mageia.org', 'GET') print (dict(response.items())) run as.. $ python3 p3get.py {'status': '200', 'content-location': 'http://www.mageia.org/en/', 'x-powered-by': 'PHP/5.3.18', 'transfer-encoding': 'chunked', 'server': 'Apache/2.2.23 (Mageia/PREFORK-1.mga1)', 'date': 'Wed, 22 May 2013 18:11:37 GMT', 'content-type': 'text/html'} It works ok with http but with https.. $ python3 p3get.py Traceback (most recent call last): File "p3get.py", line 3, in <module> response, content = h.request('https://mageia.org', 'GET') File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 1061, in request self.disable_ssl_certificate_validation) File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 774, in __init__ context.load_verify_locations(ca_certs) IOError: [Errno 2] No such file or directory The regular python-httplib2 works well with the script from the procedure in comment 2 so this is failing only with python3 and only https. I found this http://code.google.com/p/httplib2/issues/detail?id=173 and added h.disable_ssl_certificate_validation=True $ python3 p3get.py Traceback (most recent call last): File "p3get.py", line 4, in <module> response, content = h.request('https://mageia.org', 'GET') File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 1061, in request self.disable_ssl_certificate_validation) File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 777, in __init__ check_hostname=True) File "/usr/lib/python3.2/http/client.py", line 1089, in __init__ raise ValueError("check_hostname needs a SSL context with " ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED Seems the same problem mentioned there, with a potential fix.
also this http://stackoverflow.com/questions/7043756/how-do-i-make-calls-to-aws-with-python-3-and-httplib2-on-windows-7
Philippe, see Comment 3 and Comment 4.
CC: (none) => makowski.mageia
Whiteboard: has_procedure => has_procedure feedback
ok I see what the problem is thanks
Status: NEW => ASSIGNED
Sorry for the problem, it should be ok now Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-4.mga2 python3-httplib2-0.7.4-4.mga2 python-httplib2-0.7.7-4.mga3 python3-httplib2-0.7.7-4.mga3
Version: 2 => 3Whiteboard: has_procedure feedback => MGA2TOO has_procedure feedback
Thanks Philippe Converted the bug for the extra updates for mga3. Testing complete mga2 32 using the scripts below.. $ cat get.py import httplib2 h = httplib2.Http(".cache") resp, content = h.request("https://mageia.org/", "GET") print resp print content Run with 'python get.py' $ cat p3get.py import httplib2 h = httplib2.Http('.cache') response, content = h.request('https://mageia.org', 'GET') print (dict(response.items())) Run with 'python3 p3get.py'
Whiteboard: MGA2TOO has_procedure feedback => MGA2TOO has_procedure mga2-32-ok
Testing complete mga2 64 and mga3 32 & 64 Validating SRPMs: python-httplib2-0.7.4-4.mga2.src.rpm python-httplib2-0.7.7-4.mga3.src.rpm Advisory in comment 1 Could sysadmin please push from core/updates_testing to core/updates for mga2 & 3 Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga2-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
(In reply to claire robinson from comment #9) > Testing complete mga2 64 and mga3 32 & 64 > > Validating > > SRPMs: > python-httplib2-0.7.4-4.mga2.src.rpm > python-httplib2-0.7.7-4.mga3.src.rpm > > Advisory in comment 1 Not quite, that advisory was only for the Mageia 2 update, which fixed a security issue that was already fixed upstream in the Cauldron version. We'll need an addendum to the advisory for the bugfix, which will also server as a MGAA bugfix advisory for the Mageia 3 update.
Philippe could you add the necessary advisory please.
The newest python3 fix is re-fixing Bug 6568 for the python3 httplib2 package. Philippe, it probably doesn't need to be corrected in updates immediately, as most systems probably already have rootcerts installed, but both of these packages should Requires: rootcerts. Advisory (Mageia 2): ======================== Updated python-httplib2 packages fix security vulnerability: httplib2 only validates SSL certificates on the first request to a connection, and doesn't report validation failures on subsequent requests (CVE-2013-2037). Additionally, the python3-httplib2 package has been fixed so that it will use the system-wide Mozilla CA certificates from the rootcerts package. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2037 http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-4.mga2 python3-httplib2-0.7.4-4.mga2 from python-httplib2-0.7.4-4.mga2.src.rpm Advisory (Mageia 3): ======================== The python3-httplib2 package has been fixed so that it will use the system-wide Mozilla CA certificates from the rootcerts package. ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.7-4.mga3 python3-httplib2-0.7.7-4.mga3 from python-httplib2-0.7.7-4.mga3.src.rpm
Mageia 2 update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0152 Mageia 3 update pushed: https://wiki.mageia.org/en/Support/Advisories/MGAA-2013-0025
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED