[Bug 1175272] Re: requests permitted after invalid certificate is received

[Launchpad Bug Tracker]

This bug was fixed in the package python-httplib2 -
0.7.2-1ubuntu2~0.10.04.2

---------------
python-httplib2 (0.7.2-1ubuntu2~0.10.04.2) lucid-security; urgency=low

  * SECURITY UPDATE: Incorrect SSL certificate checking with multiple
    requests (LP: #1175272)
    - debian/patches/CVE-2013-2037.patch: close connection on cert mismatch
      in python2/httplib2/__init__.py.
    - CVE-2013-2037
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Fri, 06 Sep 2013 10:03:40 -0400

** Changed in: python-httplib2 (Ubuntu Lucid)
       Status: Confirmed => Fix Released

** Changed in: python-httplib2 (Ubuntu Quantal)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-httplib2 in Ubuntu.
https://bugs.launchpad.net/bugs/1175272

Title:
  requests permitted after invalid certificate is received

Status in httplib2:
  Unknown
Status in “python-httplib2” package in Ubuntu:
  Confirmed
Status in “python-httplib2” source package in Lucid:
  Fix Released
Status in “python-httplib2” source package in Precise:
  Fix Released
Status in “python-httplib2” source package in Quantal:
  Fix Released
Status in “python-httplib2” source package in Raring:
  Fix Released
Status in “python-httplib2” source package in Saucy:
  Confirmed
Status in “python-httplib2” package in Debian:
  New

Bug description:
  After httplib2 has found a certificate to be invalid it will permit
  future requests on the same https connection. Future requests will be
  performed without validating the certificate.

  The attached program attempts two requests on a single https
  connection. One request receives a
  httplib2.CertificateHostnameMismatch exception, the other receives a
  HTTP 200 success code.

  An invalid certificate should be treated as a connection error, and
  future requests should attempt to establish a new https connection to
  the server.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: python-httplib2 0.7.2-1ubuntu2
  ProcVersionSignature: Ubuntu 3.2.0-40.64-generic 3.2.40
  Uname: Linux 3.2.0-40-generic i686
  NonfreeKernelModules: nvidia
  ApportVersion: 2.0.1-0ubuntu17.2
  Architecture: i386
  Date: Wed May  1 19:48:16 2013
  EcryptfsInUse: Yes
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
  MarkForUpload: True
  PackageArchitecture: all
  SourcePackage: python-httplib2
  UpgradeStatus: Upgraded to precise on 2012-05-08 (357 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/httplib2/+bug/1175272/+subscriptions