Package: python-urllib3
Version: 1.3-2
Severity: grave
Tags: patch security
Justification: user security hole
User: [email protected]
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* debian/patches/02_require-cert-verification.patch: verify SSL certificates
by default (LP: #1047054)
urllib3 does not set cert_req or ca_certs by default, so certificates are not
checked and MITM is trivial. Ie, it has in connectionpool.py:
def __init__(self, host, port=None,
strict=False, timeout=None, maxsize=1,
block=False, headers=None,
key_file=None, cert_file=None,
cert_reqs='CERT_NONE', ca_certs=None):
This should be changed to:
def __init__(self, host, port=None,
strict=False, timeout=None, maxsize=1,
block=False, headers=None,
key_file=None, cert_file=None,
cert_reqs='CERT_REQUIRED',
ca_certs='/etc/ssl/certs/ca-certificates.crt')
Attached is a patch to do the above. It has been verified to check
certificates by default, allows for disabling certificate verification,
and the testsuite passes without modification.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500,
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-13-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru python-urllib3-1.3/debian/changelog python-urllib3-1.3/debian/changelog
diff -Nru python-urllib3-1.3/debian/patches/02_require-cert-verification.patch python-urllib3-1.3/debian/patches/02_require-cert-verification.patch
--- python-urllib3-1.3/debian/patches/02_require-cert-verification.patch 1969-12-31 18:00:00.000000000 -0600
+++ python-urllib3-1.3/debian/patches/02_require-cert-verification.patch 2012-09-06 16:15:25.000000000 -0500
@@ -0,0 +1,18 @@
+Author: Jamie Strandboge <[email protected]>
+Description: require SSL certificate validation by default by using
+ CERT_REQUIRED and using the system /etc/ssl/certs/ca-certificates.crt
+Bug-Ubuntu: https://launchpad.net/bugs/1047054
+
+Index: python-urllib3-1.3/urllib3/connectionpool.py
+===================================================================
+--- python-urllib3-1.3.orig/urllib3/connectionpool.py 2012-09-06 16:03:50.000000000 -0500
++++ python-urllib3-1.3/urllib3/connectionpool.py 2012-09-06 16:08:59.000000000 -0500
+@@ -463,7 +463,7 @@
+ strict=False, timeout=None, maxsize=1,
+ block=False, headers=None,
+ key_file=None, cert_file=None,
+- cert_reqs='CERT_NONE', ca_certs=None):
++ cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt'):
+
+ super(HTTPSConnectionPool, self).__init__(host, port,
+ strict, timeout, maxsize,
diff -Nru python-urllib3-1.3/debian/patches/series python-urllib3-1.3/debian/patches/series
--- python-urllib3-1.3/debian/patches/series 2012-02-10 16:46:21.000000000 -0600
+++ python-urllib3-1.3/debian/patches/series 2012-09-06 16:03:57.000000000 -0500
@@ -1 +1,2 @@
01_do-not-use-embedded-python-six.patch
+02_require-cert-verification.patch
