Bug#719922: pu: package python-httplib2/0.7.4-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi!
python-httplib2 currently in stable has a small security issue where a
certificate hostname mismatched is catched the first time but not the
second time. This issue has been fixed in unstable and the security
does not think this bug is important enough to get a DSA and propose
it to be fixed in the next point release:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602
Attached is the proposed debdiff. Tested with:
>>> import httplib2
>>> h=httplib2.Http("")
>>> h.request("https://api.stage-01.dailymotion.com/")
- -> CertificateHostnameMismatch exception
>>> h.request("https://api.stage-01.dailymotion.com/")
- -> CertificateHostnameMismatch exception
- -- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCAAGBQJSDpDnAAoJEJWkL+g1NSX5Or0QAKC6E+MJlfXlH4QVNLmGxOuI
5k11ycO0shIgH+9i8+1fuc/RW5DtvDawX9Uf2Kx255OLbXbs0Lh8Sfz6xCxczFOC
ZOg58laBS56CjKE0U62URh8fSg2t9sqKU5E6UyNHO1mnjcs40j4J8NYL0uy065AX
o847fnp+IPwocRW/kqDoW79v95qw5cszp5k9hFsxkPGsYgDltM1JArkFt5S+N6es
J8CfijIu4Sd5W/I1VnsbUah7uamhuQKnrrETU4nXf7AN4ugdJsxqr/PEZwlXNPFr
9W53YouW3Dx8YsX7mePDVmHtba5MlT6K4rKJATBj7YgU8dyOtiJHJpFD1KGjnd1o
2Q05K7CijTTYoFjMIrO8CLMK2lLDFw7EfoGhAjpCMtIkKZTy6xhT2umd1X9bXDa3
qiZWmFk+ccChgUFYZifdc0fK2b5SxphVAxMrvJAoyNK5wwf1cVjUfN2o3gXmE25E
/gRqWKwmSqHOmtLyb6WhPyVZUdUNcZUN9nbwT71YKX33eZJZvHZH0K8gH0vYvx1b
+OfRJEFsS9QIPeoExAdmiPAStXvkaNz0xEaPWDT7+tVgXIjlJ5qpj2pV8XVSjzbr
oRq1ykR8pfvYIG+nvr6qdryEMi/gtp55Z2yyP6ewNiJEzbnOi6crOObf8ySsDoPo
GC7YfXsbJ1O/KRLoWE/Q
=KTtR
-----END PGP SIGNATURE-----
diff -Nru python-httplib2-0.7.4/debian/changelog python-httplib2-0.7.4/debian/changelog
--- python-httplib2-0.7.4/debian/changelog 2012-05-27 12:07:32.000000000 +0200
+++ python-httplib2-0.7.4/debian/changelog 2013-08-16 22:31:06.000000000 +0200
@@ -1,3 +1,13 @@
+python-httplib2 (0.7.4-2+deb7u1) stable; urgency=low
+
+ * Team upload.
+
+ [Vincent Bernat]
+ * Stable update to fix CVE-2013-2037, #706602 by applying the same patch
+ as in unstable.
+
+ -- Vincent Bernat <bernat@debian.org> Fri, 16 Aug 2013 22:31:05 +0200
+
python-httplib2 (0.7.4-2) unstable; urgency=low
* debian/patches/egg-info.patch:
diff -Nru python-httplib2-0.7.4/debian/patches/series python-httplib2-0.7.4/debian/patches/series
--- python-httplib2-0.7.4/debian/patches/series 2012-05-27 12:06:12.000000000 +0200
+++ python-httplib2-0.7.4/debian/patches/series 2013-08-16 22:31:32.000000000 +0200
@@ -1,2 +1,3 @@
use_system_cacerts.patch
egg-info.patch
+ssl-mismatch-check.patch
diff -Nru python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch
--- python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch 2013-08-16 22:31:27.000000000 +0200
@@ -0,0 +1,25 @@
+Description: Close connection on certificate mismatch to avoid reuse
+Author: Roman Podolyaka <rpodolyaka...mirantis.com>
+Forwarded: https://code.google.com/p/httplib2/issues/detail?id=282
+
+diff -r 93291649202b python2/httplib2/__init__.py
+--- a/python2/httplib2/__init__.py Tue Mar 26 14:17:48 2013 -0400
++++ b/python2/httplib2/__init__.py Tue Apr 23 10:32:15 2013 +0300
+@@ -1030,7 +1030,7 @@
+ raise CertificateHostnameMismatch(
+ 'Server presented certificate that does not match '
+ 'host %s: %s' % (hostname, cert), hostname, cert)
+- except ssl_SSLError, e:
++ except (ssl_SSLError, CertificateHostnameMismatch), e:
+ if sock:
+ sock.close()
+ if self.sock:
+@@ -1040,7 +1040,7 @@
+ # to get at more detailed error information, in particular
+ # whether the error is due to certificate validation or
+ # something else (such as SSL protocol mismatch).
+- if e.errno == ssl.SSL_ERROR_SSL:
++ if hasattr(e, 'errno') and e.errno == ssl.SSL_ERROR_SSL:
+ raise SSLHandshakeError(e)
+ else:
+ raise
Reply to: