SuSE has issued an advisory today (June 25): http://lists.opensuse.org/opensuse-updates/2012-06/msg00029.html
This affects Mageia 1 and Mageia 2 as well, but I'm not sure if it's worth issuing an update for. SuSE corrected this by patching it to look at /etc/ssl/ca-bundle.pem instead of /usr/lib/python2.7/site-packages/httplib2/cacerts.txt. We don't have /etc/ssl/ca-bundle.pem, but we do have /etc/pki/tls/certs/ca-bundle.crt which looks like it might be in the right format. I'll attach their patch.
CC: (none) => makowski.mageiaWhiteboard: (none) => MGA2TOO, MGA1TOO
Created attachment 2495 [details] httplib2-use-system-certs.patch Patch from OpenSuSE: httplib2-use-system-certs.patch
Updates are in testing for MGA1 and MGA2
Thanks Philippe :o) I'll test this next time I need to upload something to the binrepo, as I did in Bug 5256, if nobody beats me to it. Advisory: ======================== python-httplib2 ships its own copy of the Mozilla NSS certificates, but it should use the system-wide ones provided by the rootcerts package instead. This has been corrected. References: http://lists.opensuse.org/opensuse-updates/2012-06/msg00029.html ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.7.4-1.mga1 python-httplib2-0.7.4-2.mga2 from SRPMS: python-httplib2-0.7.4-1.mga1.src.rpm python-httplib2-0.7.4-2.mga2.src.rpm
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Assignee: bugsquad => qa-bugs
I don't think uploading to the binrepo uses https, so we should find some way to test that.
Created attachment 2538 [details] get.py simple example from http://code.google.com/p/httplib2/wiki/Examples I edited the Simple Retrieval example to fetch headers from https://mageia.org and show them. tested with 'python get.py' Is this sufficient? If so then testing complete mga1 64
adding 'print content' also prints the content.
Whiteboard: MGA1TOO => MGA1TOO mga1-64-OK
testing complete mga2 64
Hardware: i586 => AllWhiteboard: MGA1TOO mga1-64-OK => MGA1TOO mga1-64-OK mga2-64-OK
Tested using: $ strace -o strace.out python get.py $ grep open strace.out | grep -v "such file" | grep bundle open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY) = 4 open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY) = 5 Shows it using system certs.
(In reply to comment #6) > Created attachment 2538 [details] > get.py simple example from http://code.google.com/p/httplib2/wiki/Examples > > I edited the Simple Retrieval example to fetch headers from https://mageia.org > and show them. > > tested with 'python get.py' > > Is this sufficient? > > If so then testing complete mga1 64 Yes, that looks like a really good test. I tried it on Mageia 1 i586 and before the update, the certificate verification actually doesn't work at all for me. I get a "certificate verify failed" error and Python exception. Installing the update fixes this for me. Also, before the update, strace shows: open("/usr/lib/python2.7/site-packages/httplib2/cacerts.txt", O_RDONLY|O_LARGEFILE) = 4 and after installing the update, strace shows: open("/etc/ssl/certs/ca-bundle.crt", O_RDONLY|O_LARGEFILE) = 5 So this worked out really well :D
Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK => MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK
Tested successfully on Mageia 2 i586 as well. Claire, I'll let you do the final validation honors since I haven't done it in so long :o)
Whiteboard: MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK => MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK mga2-32-OK
Thanks for testing David Validating SRPMs and advisory in comment 4 for mga1 and 2 Could sysadmin please push from core/updates_testing to core/updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0129
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
hey folks, sorry for the zombie. Using /etc/ssl/certs/ca-bundle.crt is perhaps not quite the right choice. That's not the canonical location, it's a compat symlink. See rootcerts.spec: https://svnweb.mageia.org/packages/cauldron/rootcerts/current/SPECS/rootcerts.spec?view=markup # be compatible with Debian/Ubuntu SSL paths # fix #58107 (also used by dovecot default config) install -d %{buildroot}%{_sysconfdir}/ssl for d in certs private; do ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/ done the most correct location would, I believe, be /etc/pki/tls/certs/ca-bundle.crt (same as Fedora/RHEL's canonical location). Sharp-eyed readers may note Fedora's patch uses the same slightly not-the-best location, I'll fix that one :P
CC: (none) => adamw
also note that (again for both Mageia and Fedora) the Python 3 code needs patching as well, no-one seems to be doing that.
here's the updated patch I sent to Fedora today: http://pkgs.fedoraproject.org/cgit/python-httplib2.git/tree/python-httplib2.certfile.patch
Thanks Adam! Nice to see you, and thanks for the heads up. I've updated our patch in Cauldron.