Ubuntu
python-httplib2 package

python-httplib2 < 0.7.0 doesn't validate server certificates

Bug #882030 reported by Marc Deslauriers on 2011-10-26

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-httplib2 (Ubuntu)	Fix Released	High	Unassigned
	Lucid	Fix Released	High	Unassigned
	Maverick	Fix Released	High	Unassigned
	Natty	Fix Released	High	Unassigned
	Oneiric	Fix Released	High	Unassigned
	Precise	Fix Released	High	Unassigned

Bug Description

python-httplib2 added support for checking https certificates in 0.7.0. The packages currently in Natty and older don't perform any certificate validation, permitting man in the middle attacks on any software that uses the library and doesn't perform checks of it's own.

Related branches

lp:ubuntu/natty-proposed/python-httplib2

lp:ubuntu/maverick-proposed/python-httplib2

lp:ubuntu/lucid-proposed/python-httplib2

lp:ubuntu/oneiric-proposed/python-httplib2

Jamie Strandboge (jdstrand) on 2011-12-13

Changed in python-httplib2 (Ubuntu):
status:	New → Confirmed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-02-06:

#1

For Oneiric, see bug 882027: it doesn't use the system CA certs by default.

visibility:	private → public
Changed in python-httplib2 (Ubuntu Lucid):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Maverick):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Oneiric):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Natty):
status:	New → Confirmed
Changed in python-httplib2 (Ubuntu Lucid):
importance:	Undecided → High
Changed in python-httplib2 (Ubuntu Maverick):
importance:	Undecided → High
Changed in python-httplib2 (Ubuntu Natty):
importance:	Undecided → High
Changed in python-httplib2 (Ubuntu Oneiric):
importance:	Undecided → High
Changed in python-httplib2 (Ubuntu Precise):
importance:	Undecided → High
status:	Confirmed → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-02-06:

#2

SRU team: this isn't an SRU, it's a security update that we've put in -proposed to get more testing. Please let the security team handle this. Thanks.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-27:

#3

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.04.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
    - debian/control: adjust to work with older dependencies.
    - debian/{control,rules}: get rid of python3 package.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 14:07:20 -0500

Changed in python-httplib2 (Ubuntu Lucid):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-27:

#4

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.10.10.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
    - debian/control: adjust to work with older dependencies.
    - debian/patches/python31-compat.patch: fix compatibility with python3
      version in maverick.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 15:32:42 -0500

Changed in python-httplib2 (Ubuntu Maverick):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-27:

#5

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.11.04.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:56:37 -0500

Changed in python-httplib2 (Ubuntu Natty):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-27:

#6

This bug was fixed in the package python-httplib2 - 0.7.2-1ubuntu2~0.11.10.1

---------------
python-httplib2 (0.7.2-1ubuntu2~0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate validation (LP: #882030)
    - Backport 0.7.2 as a security update to get proper SSL certificate
      validation support and prevent MITM attacks.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2012 13:54:02 -0500

Changed in python-httplib2 (Ubuntu Oneiric):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.