[Bug 651161] Re: bzr fails to verify ssl validity in https connections - by default --> as pycurl isn't a dep only a suggestion
Jelmer Vernooij
651161 at bugs.launchpad.net
Thu Nov 24 16:57:56 UTC 2011
** Changed in: bzr
Status: Confirmed => In Progress
** Changed in: bzr
Assignee: (unassigned) => Jelmer Vernooij (jelmer)
** Changed in: bzr
Importance: Medium => High
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/651161
Title:
bzr fails to verify ssl validity in https connections - by default -->
as pycurl isn't a dep only a suggestion
Status in Bazaar Version Control System:
In Progress
Status in “bzr” package in Ubuntu:
Triaged
Status in “bzr” package in Debian:
New
Bug description:
Because pycurl isn't a dependency only a "suggestion" it will not be installed with bzr on ubuntu.
This is bad because the https implementation is broken as per bug http://bugs.python.org/issue1589
as bzr seems not to verify the common name (etc.) --> (see http://bazaar.launchpad.net/~bzr-pqm/bzr/bzr.dev/annotate/head%3A/bzrlib/transport/http/_urllib2_wrappers.py)
So your application is vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM bzr by default - as pycurl isn't a dep. Iff pycurl is installed you are not vulnerable.
Please let me know if I am wrong :)
To manage notifications about this bug go to:
https://bugs.launchpad.net/bzr/+bug/651161/+subscriptions
More information about the foundations-bugs
mailing list