Arch Linux

Description:
From httplib2 bug tracker [1]:
"What steps will reproduce the problem?
1. Make a request to an HTTPS server with a domain name not matching one that is specified in the corresponding SSL certificate.
2. Repeat the request once again.

Expected behavior: both requests fail with CertificateHostnameMismatch error.

Actual behavior: the first request fails with CertificateHostnameMismatch, but the second one succeeds.

The problem is caused by incorrect error handling in connect() method of HTTPSConnectionWithTimeout class. The created socket is closed in case of a general SSL error, but it's not closed in case of CertificateHostnameMismatchError (as ssl module doesn't provide hostname checking and it's done by httplib2 code). So when the second request is performed, connect() is not called, because the connection has already been created, and certificate hostname mismatch is not checked.

Tested versions: the last commit of the default branch in hg repo; 0.7.2, 0.8."

CVE attribution on oss-sec list [5]

Resolution :
Debian [2][3] use the patch provided in the httplib2 bug tracker [1]
Ubuntu provide a program [4] demonstrating the bug

[1] http://code.google.com/p/httplib2/issues/detail?id=282
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602
[3] http://patch-tracker.debian.org/patch/series/view/python-httplib2/0.8-2/ssl-mismatch-check.patch
[4] https://bugs.launchpad.net/httplib2/+bug/1175272/+attachment/3661698/+files/httplib2-bug.py
[5] http://www.openwall.com/lists/oss-security/2013/05/01/5

fix not tested