[Python-modules-team] Bug#686872: python-urllib3 should default to verifying certificates
Jamie Strandboge
jamie at ubuntu.com
Thu Sep 6 21:33:35 UTC 2012
Package: python-urllib3
Version: 1.3-2
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/02_require-cert-verification.patch: verify SSL certificates
by default (LP: #1047054)
urllib3 does not set cert_req or ca_certs by default, so certificates are not
checked and MITM is trivial. Ie, it has in connectionpool.py:
def __init__(self, host, port=None,
strict=False, timeout=None, maxsize=1,
block=False, headers=None,
key_file=None, cert_file=None,
cert_reqs='CERT_NONE', ca_certs=None):
This should be changed to:
def __init__(self, host, port=None,
strict=False, timeout=None, maxsize=1,
block=False, headers=None,
key_file=None, cert_file=None,
cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')
Attached is a patch to do the above. It has been verified to check
certificates by default, allows for disabling certificate verification,
and the testsuite passes without modification.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-13-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: python-urllib3_1.3-2ubuntu1.debdiff
Type: text/x-diff
Size: 1820 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20120906/97ce3286/attachment.diff>
More information about the Python-modules-team
mailing list