Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#36839 - [python2-httplib2/python-httplib2] security patch for CVE-2013-2037

Attached to Project: Community Packages
Opened by RbN (RbN) - Monday, 09 September 2013, 17:04 GMT
Last edited by Alexander F. Rødseth (xyproto) - Wednesday, 11 September 2013, 14:43 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Alexander F. Rødseth (xyproto)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


From httplib2 bug tracker [1]:
"What steps will reproduce the problem?
1. Make a request to an HTTPS server with a domain name not matching one that is specified in the corresponding SSL certificate.
2. Repeat the request once again.

Expected behavior: both requests fail with CertificateHostnameMismatch error.

Actual behavior: the first request fails with CertificateHostnameMismatch, but the second one succeeds.

The problem is caused by incorrect error handling in connect() method of HTTPSConnectionWithTimeout class. The created socket is closed in case of a general SSL error, but it's not closed in case of CertificateHostnameMismatchError (as ssl module doesn't provide hostname checking and it's done by httplib2 code). So when the second request is performed, connect() is not called, because the connection has already been created, and certificate hostname mismatch is not checked.

Tested versions: the last commit of the default branch in hg repo; 0.7.2, 0.8."

CVE attribution on oss-sec list [5]

Resolution :
Debian [2][3] use the patch provided in the httplib2 bug tracker [1]
Ubuntu provide a program [4] demonstrating the bug


fix not tested
This task depends upon

Closed by  Alexander F. Rødseth (xyproto)
Wednesday, 11 September 2013, 14:43 GMT
Reason for closing:  Fixed
Comment by Alexander F. Rødseth (xyproto) - Wednesday, 11 September 2013, 14:42 GMT
Confirmed, fixed and tested. Thanks for reporting. Hopefully upstream will make a new release of httplib2 soon.