Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/validate-tls-certificate.html below:

Validate TLS certificate — Python Security 0.0 documentation

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

See also the PEP 476 – Enabling certificate verification by default for stdlib http clients and PEP 466: Network Security Enhancements for Python 2.7.x.

Dates:

• Disclosure date: 2014-08-28 (PEP 476 created)

• Reported by: Alex Gaynor (PEP 476 author)

• Python 2.7.9 (2014-12-10) fixed by commit e3e7d40 (branch 2.7) (2014-11-24)

• Python 3.4.3 (2015-02-25) fixed by commit 4ffb075 (branch 3.4) (2014-11-03)

• Python 3.5.0 (2015-09-12) fixed by commit 4ffb075 (branch 3.4) (2014-11-03)

PEP 476: verify HTTPS certificates by default.

• Python issue: bpo-22417

• Creation date: 2014-09-15

• Reporter: Nick Coghlan

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. <a href=”http://cwe.mitre.org/data/definitions/295.html”>CWE-295: Improper Certificate Validation</a>

• CVE ID: CVE-2014-9365

• Published: 2014-12-12

• CVSS Score: 5.8

Timeline using the disclosure date 2014-08-28 as reference:

• 2014-08-28: Disclosure date (PEP 476 created)

• 2014-09-15 (+18 days): Python issue bpo-22417 reported by Nick Coghlan

• 2014-11-03 (+67 days): commit 4ffb075 (branch 3.4)

• 2014-11-24 (+88 days): commit e3e7d40 (branch 2.7)

• 2014-12-10 (+104 days): Python 2.7.9 released

• 2014-12-12 (+106 days): CVE-2014-9365 published

• 2015-02-25 (+181 days): Python 3.4.3 released

• 2015-09-12: Python 3.5.0 released

• PEP 476: Enabling certificate verification by default for stdlib http clients

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4