|
|
Log in / Subscribe / Register

python: missing hostname check

Package(s):python CVE #(s):CVE-2014-9365
Created:March 6, 2015 Updated:March 11, 2015
Description:

From the Mageia advisory:

When Python's standard library HTTP clients (httplib, urllib, urllib2, xmlrpclib) are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against the requested host. It was possible to configure a trust root to be checked against, however there were no faculties for hostname checking (CVE-2014-9365).

Note that this issue also affects python3, and is fixed upstream in version 3.4.3, but the fix was considered too intrusive to backport to Python3 3.3.x. No update for the python3 package for this issue is planned at this time.

Alerts:
Scientific Linux SLSA-2015:2101-1 python 2015-12-21
Red Hat RHSA-2016:1166-01 python27 2016-05-31
Red Hat RHSA-2015:2101-01 python 2015-11-19
Mandriva MDVSA-2015:075 python 2015-03-27
Gentoo 201503-10 python 2015-03-18
Mageia MGASA-2015-0091 python 2015-03-05
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds