CVE-2014-9365: Validate TLS certificate

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

See also the PEP 466: Network Security Enhancements for Python 2.7.x.

  • Disclosure date: 2014-08-28 (PEP 476 created)
  • Reported by: Alex Gaynor (PEP 476 author)

Fixed In

Vulnerable Versions

  • Python 3.3

Python issue

PEP 476: verify HTTPS certificates by default.

  • Python issue: issue #22417
  • Creation date: 2014-09-15
  • Reporter: Nick Coghlan

CVE-2014-9365

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Timeline

Timeline using the disclosure date 2014-08-28 as reference:

  • 2014-08-28: Disclosure date (PEP 476 created)
  • 2014-09-15 (+18 days): Python issue #22417 reported by Nick Coghlan
  • 2014-11-03 (+67 days): commit 4ffb075
  • 2014-11-24 (+88 days): commit e3e7d40
  • 2014-12-10 (+104 days): Python 2.7.9 released
  • 2014-12-12 (+106 days): CVE-2014-9365 published
  • 2015-02-23 (+179 days): Python 3.4.3 released
  • 2015-09-09: Python 3.5.0 released