Bug 5256 - python-httplib2 security issue, HTTPS certificate validation
Summary: python-httplib2 security issue, HTTPS certificate validation
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-04-06 17:42 CEST by David Walser
Modified: 2012-05-16 12:50 CEST (History)
4 users (show)

See Also:
Source RPM: python-httplib2-0.6.0-3.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-04-06 17:42:09 CEST 
Ubuntu has issued this advisory on February 27:
http://www.ubuntu.com/usn/usn-1375-1/

Ubuntu fixed it by just upgrading to the newest version.

Cauldron is not vulnerable.
David Walser 2012-04-06 17:42:43 CEST

CC: (none) => makowski.mageia

Comment 1 Manuel Hiebel 2012-05-09 21:11:11 CEST 
ping ?

Assignee: bugsquad => makowski.mageia

Comment 2 Philippe Makowski 2012-05-10 13:57:43 CEST 
python-httplib2-0.7.2-1.mga1 is in 1/core/updates_testing

sorry for the delay
Comment 3 David Walser 2012-05-10 14:55:20 CEST 
Assigning to QA.  Note to QA: the mgarepo tool used by packagers uses this, so it would be a good thing to test it with.  I think it just uses it for uploading binary files to the binrepo.  I guess some packagers should help QA with this.

Advisory:
========================

Updated python-httplib2 package fixes security vulnerability:

The httplib2 Python library earlier than version 0.7.0 did not perform any
server certificate validation when using HTTPS connections. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
be exploited to alter or compromise confidential information in
applications that used the httplib2 library.

References:
http://www.ubuntu.com/usn/usn-1375-1/
========================

Updated packages in core/updates_testing:
========================
python-httplib2-0.7.2-1.mga1

from python-httplib2-0.7.2-1.mga1.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 4 David Walser 2012-05-10 18:37:03 CEST 
Well, I'm a packager, and I just so happened to need to upload something to the binrepo, so I just tested it, and it worked!  I was testing from i586, but I don't believe it should matter, as it's a noarch package.  I believe this can be validated.  I'll let the QA team confirm this first.  Thanks Philippe.
Comment 5 Dave Hodgins 2012-05-10 23:25:21 CEST 
Based on comment 4, I'll go ahead and validate this update.

Could someone from the sysadmin team push the srpm
python-httplib2-0.7.2-1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory: Updated python-httplib2 package fixes security
vulnerability:

The httplib2 Python library earlier than version 0.7.0 did
not perform any server certificate validation when using
HTTPS connections. If a remote attacker were able to perform
a man-in-the-middle attack, this flaw could be exploited to
alter or compromise confidential information in applications
that used the httplib2 library.

References:
http://www.ubuntu.com/usn/usn-1375-1/

https://bugs.mageia.org/show_bug.cgi?id=5256

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Thomas Backlund 2012-05-16 12:50:20 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.