Your message dated Thu, 13 Sep 2012 17:32:38 +0000
with message-id <e1tcdhk-0004lu...@franck.debian.org>
and subject line Bug#686872: fixed in python-urllib3 1.3-3
has caused the Debian Bug report #686872,
regarding python-urllib3 should default to verifying certificates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
686872: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686872
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-urllib3
Version: 1.3-2
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/02_require-cert-verification.patch: verify SSL certificates
by default (LP: #1047054)
urllib3 does not set cert_req or ca_certs by default, so certificates are not
checked and MITM is trivial. Ie, it has in connectionpool.py:
def __init__(self, host, port=None,
strict=False, timeout=None, maxsize=1,
block=False, headers=None,
key_file=None, cert_file=None,
cert_reqs='CERT_NONE', ca_certs=None):
This should be changed to:
def __init__(self, host, port=None,
strict=False, timeout=None, maxsize=1,
block=False, headers=None,
key_file=None, cert_file=None,
cert_reqs='CERT_REQUIRED',
ca_certs='/etc/ssl/certs/ca-certificates.crt')
Attached is a patch to do the above. It has been verified to check
certificates by default, allows for disabling certificate verification,
and the testsuite passes without modification.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500,
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-13-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru python-urllib3-1.3/debian/changelog python-urllib3-1.3/debian/changelog
diff -Nru python-urllib3-1.3/debian/patches/02_require-cert-verification.patch python-urllib3-1.3/debian/patches/02_require-cert-verification.patch
--- python-urllib3-1.3/debian/patches/02_require-cert-verification.patch 1969-12-31 18:00:00.000000000 -0600
+++ python-urllib3-1.3/debian/patches/02_require-cert-verification.patch 2012-09-06 16:15:25.000000000 -0500
@@ -0,0 +1,18 @@
+Author: Jamie Strandboge <ja...@canonical.com>
+Description: require SSL certificate validation by default by using
+ CERT_REQUIRED and using the system /etc/ssl/certs/ca-certificates.crt
+Bug-Ubuntu: https://launchpad.net/bugs/1047054
+
+Index: python-urllib3-1.3/urllib3/connectionpool.py
+===================================================================
+--- python-urllib3-1.3.orig/urllib3/connectionpool.py 2012-09-06 16:03:50.000000000 -0500
++++ python-urllib3-1.3/urllib3/connectionpool.py 2012-09-06 16:08:59.000000000 -0500
+@@ -463,7 +463,7 @@
+ strict=False, timeout=None, maxsize=1,
+ block=False, headers=None,
+ key_file=None, cert_file=None,
+- cert_reqs='CERT_NONE', ca_certs=None):
++ cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt'):
+
+ super(HTTPSConnectionPool, self).__init__(host, port,
+ strict, timeout, maxsize,
diff -Nru python-urllib3-1.3/debian/patches/series python-urllib3-1.3/debian/patches/series
--- python-urllib3-1.3/debian/patches/series 2012-02-10 16:46:21.000000000 -0600
+++ python-urllib3-1.3/debian/patches/series 2012-09-06 16:03:57.000000000 -0500
@@ -1 +1,2 @@
01_do-not-use-embedded-python-six.patch
+02_require-cert-verification.patch
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 1.3-3
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 686...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniele Tricoli <er...@mornie.org> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 10 Sep 2012 14:33:35 +0200
Source: python-urllib3
Binary: python-urllib3 python3-urllib3
Architecture: source all
Version: 1.3-3
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Daniele Tricoli <er...@mornie.org>
Description:
python-urllib3 - HTTP library with thread-safe connection pooling for Python
python3-urllib3 - HTTP library with thread-safe connection pooling for Python3
Closes: 686872
Changes:
python-urllib3 (1.3-3) unstable; urgency=low
.
* debian/control
- Added ca-certificates to Recommends field
* debian/patches/02_require-cert-verification.patch
- require SSL certificate validation by default by using
CERT_REQUIRED and using the system
/etc/ssl/certs/ca-certificates.crt.
Thanks to Jamie Strandboge for report and patch
(Closes: #686872)
Checksums-Sha1:
b158c4619e486790ac9b401c95537c1043b58fd9 2195 python-urllib3_1.3-3.dsc
924a86515053e17b97e2127b397dd397205fcdda 4950
python-urllib3_1.3-3.debian.tar.gz
7d975d07087936651421db566dddb5c0f8a594f5 27270 python-urllib3_1.3-3_all.deb
6e601d2845004e70583a1b6c231d17b6519ebfe1 25804 python3-urllib3_1.3-3_all.deb
Checksums-Sha256:
b1f0973c91a7d5af9618d9199b486527720bdbc3df583abf920adcef7803a702 2195
python-urllib3_1.3-3.dsc
81c369c7968d2304b3ef07174d9a4b217f4aba4c25b95442ccd19fef4a958133 4950
python-urllib3_1.3-3.debian.tar.gz
ae28cd60459863605752ecf91113b44f964836d080003e0655107380e9249e43 27270
python-urllib3_1.3-3_all.deb
0f755eca023c6acf3c06936bd432ea54f383f89dd5a0d1f11c14ad085cd18faf 25804
python3-urllib3_1.3-3_all.deb
Files:
000cbb5595a51cd555b6b6970436b122 2195 python optional python-urllib3_1.3-3.dsc
9674eac768b892b7d83ea2f6771e9a61 4950 python optional
python-urllib3_1.3-3.debian.tar.gz
af9591932757ca407224646ddb56f43c 27270 python optional
python-urllib3_1.3-3_all.deb
fb00ebef95720e5a5335509b1f6fba04 25804 python optional
python3-urllib3_1.3-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJQUhYtAAoJEK728aKnRXZFsIcQAMxZ/Xp4lqBNGkVG1KkP0MNG
arX5gNL08jbkWfW0b6518L96k5W+XV789UYHFDY0peb3gVeyHic/zvsTwkJ/advx
uvWvSXhsPNqnTpl76Tl5vTyoCZ6fvksl6xQhcGKN4sKdFgNT+tEwmikQw5d/ZnlR
lay5RZ6R+H0B+VgfkhIgaiePcVacL7Vh9pKf98h6qM+3TYIbwt6zj+A0zcWTKlNm
WgSlVi1yXpF9wBb1AbSNnOKvG3G+cusvlTkdeOL8zd8bDIHePQtzMEubZG9k+Jsj
VTc1ECZM8kwIuy5vpw84PL6esDz4g4WQVdYoFb6ZWgUxPwF1Ve7Z2GwhsWB2dsoy
g17laHONw/Aqr73RTxctfHJdeFQOREJw3YlkvNCoMKq9Zt5zaYBZPIfOyLhY4fTd
cPnS10Aklqgc9vazc8jdAoy69qQ8st32/r5FpR1DGQq12W7C49xezVfemi9cxrni
LK1ImWm6Q8GlmCT7kvrZrIGNK+rIOeANrRORoeBinQLQlkKGEw9udtKDEHPoADUX
/yTpldc1Z1pLHrZSPRgvCXlyOxFjQw6KMX2Mf28pyHDrlqO2gudxy1aMtdJLYnL/
JQC1EIxKtUqSNYCn2+vQpJG0F8EZC0WaStvBbMKflZkW2bBMTNSCr6TO2BV2/kF2
8wbKTf2Ta7uU3zVMxyRp
=xCTY
-----END PGP SIGNATURE-----
--- End Message ---
