Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests

To: Michael Kesper <mkesper@schokokeks.org>
Cc: debian-python <debian-python@lists.debian.org>
Subject: Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
From: Ondrej Novy <novy@ondrej.org>
Date: Tue, 29 Oct 2019 14:01:29 +0100
Message-id: <[🔎] CAOO6c=wnXQLUFJKwj3pyATR2-zUM0EJz6zzFFrX1qxnOXg1RPg@mail.gmail.com>
In-reply-to: <[🔎] e6ffc518-4329-54aa-acd2-05a242c1de05@schokokeks.org>
References: <[🔎] bb131949c409df06cbb4725cb125771e@debian.org> <[🔎] 20191027151300.wxpij5kweuy6uw6i@mornie> <[🔎] 6c89d2c7a0e830e0656210f395a8426d@debian.org> <[🔎] e6ffc518-4329-54aa-acd2-05a242c1de05@schokokeks.org>

Hi,

út 29. 10. 2019 v 13:29 odesílatel Michael Kesper <mkesper@schokokeks.org> napsal:

> I see. Still an odd kind of protection though. The attacker can just downgrade themselves.

No. A sensible server will not talk to you if your requested SSL version is too low.
pub.orcid.org seems to use absolutely outdated and insecure software versions.

right. If you want good security, you need to limit TLS version on both side (client-urlib3 and server-whatever). Than downgrade attack is not possible.

Best regards
Ondřej Nový

Reply to:

References:
- Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
  - From: Drew Parsons <dparsons@debian.org>
- Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
  - From: Daniele Tricoli <eriol@debian.org>
- Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
  - From: Drew Parsons <dparsons@debian.org>
- Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
  - From: Michael Kesper <mkesper@schokokeks.org>

Prev by Date: Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
Next by Date: Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
Previous by thread: Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
Next by thread: Re: python-urllib3 1.25.6 uploaded to experimental (closes CVE-2019-11236) but fails build tests
Index(es):
- Date
- Thread