[Bug 651161] Re: urllib https implementation does not verify ssl certificates
Launchpad Bug Tracker
651161 at bugs.launchpad.net
Wed Feb 8 13:37:18 UTC 2012
** Branch linked: lp:ubuntu/bzr
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/651161
Title:
urllib https implementation does not verify ssl certificates
Status in Bazaar Version Control System:
Fix Released
Status in “bzr” package in Ubuntu:
In Progress
Status in “bzr” package in Debian:
Fix Released
Bug description:
Because pycurl isn't a dependency only a "suggestion" it will not be installed with bzr on ubuntu.
This is bad because the https implementation is broken as per bug http://bugs.python.org/issue1589
as bzr seems not to verify the common name (etc.) --> (see http://bazaar.launchpad.net/~bzr-pqm/bzr/bzr.dev/annotate/head%3A/bzrlib/transport/http/_urllib2_wrappers.py)
So your application is vulnerable, as long as I have a certificate signed by ca in the ca store, I can MITM bzr by default - as pycurl isn't a dep. Iff pycurl is installed you are not vulnerable.
Please let me know if I am wrong :)
To manage notifications about this bug go to:
https://bugs.launchpad.net/bzr/+bug/651161/+subscriptions
More information about the foundations-bugs
mailing list