[Bug 1469653] Re: CVE-2014-0224 not fixed for python-openssl based servers
Rob Meijer
1469653 at bugs.launchpad.net
Mon Jul 6 09:30:45 UTC 2015
A stripped down version of the server code used. Using this code on a
fully patched Ubuntu 14.04 server, ssllabs will report:
"This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F."
** Attachment added: "Demo server code"
https://bugs.launchpad.net/ubuntu/+source/pyopenssl/+bug/1469653/+attachment/4424979/+files/demo.py
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pyopenssl in Ubuntu.
https://bugs.launchpad.net/bugs/1469653
Title:
CVE-2014-0224 not fixed for python-openssl based servers
Status in pyopenssl package in Ubuntu:
Incomplete
Bug description:
When creating a minimal https based server in python using 'from
OpenSSL import SSL' on a fully patched Ubuntu 14.04 system, the
OpenSSL bug as reported in CVE-2014-0224 seems to persist for that
server. A C++ implementation with the same functionality on the same
system does not show such issues so it would appear that its specific
to python-openssl .
The existence of this bug can be validated by running a simple python
based https server that uses the Python OpenSSL module on a public IP
adress and using the web form as provided on
https://www.ssllabs.com/ssltest/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pyopenssl/+bug/1469653/+subscriptions
More information about the foundations-bugs
mailing list