[v3.0] python: standard library HTTP clients issue (CVE-2014-9365)
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in Python 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or © subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References:
http://seclists.org/oss-sec/2014/q4/1028
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365
(from redmine: issue id 3795, created on 2015-01-27, closed on 2015-08-05)
- Relations:
- parent #3792 (closed)
- Changesets:
- Revision 30e6eb8f by Natanael Copa on 2015-08-05T09:57:37Z:
main/python: security upgrade to 2.7.10 (CVE-2014-9365)
fixes #3795