[Python-apps-team] Bug#861152: nagstamon: InsecureRequestWarning: Unverified HTTPS request is being made.

Moritz Schlarb schlarbm at uni-mainz.de
Tue Apr 25 08:43:03 UTC 2017 

Control: forwarded -1 https://github.com/HenriWahl/Nagstamon/issues/302
Control: tags -1 + upstream confirmed

Hi Paul,

On Tue, 25 Apr 2017 11:27:01 +0800 Paul Wise <pabs at debian.org> wrote:
> Severity: serious
> Tags: security
> 
> When I run nagstamon from a terminal against the Debian nagios I get a
> warning about unverified and thus insecure HTTPS requests being made:
> 
> ...
> /usr/lib/python3/dist-packages/urllib3/connectionpool.py:845: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
> Â  InsecureRequestWarning)

Now stuff is getting interesting...

I think upstream is thinking different about the severity of this
behaviour. In other parts of the code, these urllib3 warnings are
explicitly being disabled:
https://github.com/HenriWahl/Nagstamon/blob/master/Nagstamon/Servers/Generic.py#L24
So it just doesn't get noticed there although the behaviour is the same.

This explicit neglection of verifying HTTPS connections was added in
https://github.com/HenriWahl/Nagstamon/issues/126
which also had a Debian bug at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774687

There also is already an upstream equivalent of this bug report:
https://github.com/HenriWahl/Nagstamon/issues/302

Now is the current behaviour really a policy violation (if so, please
help me by pointing to the correct source for that) or would you be open
to lowering the severity of this bug?

Regards,
-- 
Moritz Schlarb
Unix-Gruppe | Systembetreuung
Zentrum für Datenverarbeitung
Johannes Gutenberg-Universität Mainz
Raum 01-321 - Tel. +49 6131 39-29441
OpenPGP Fingerprint: DF01 2247 BFC6
5501 AFF2 8445 0C24 B841 C7DD BAAF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: schlarbm.vcf
Type: text/x-vcard
Size: 367 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20170425/c4a51034/attachment.vcf>

More information about the Python-apps-team mailing list