Bugzilla – Bug 825876
VUL-0: python-bugzilla: CVE-2013-2191: no server certificate verification
Last modified: 2013-07-11 06:00:49 UTC
Public via oss-security: Date: Wed, 19 Jun 2013 12:58:40 -0400 (EDT) From: Jan Lieskovsky Subject: [oss-security] [CVE identifier assignment notification] CVE-2013-2191 python-bugzilla: Does not verify Bugzilla server certificate It was found that python-bugzilla, a Python library for interacting with Bugzilla instances over XML-RPC functionality, did not perform X.509 certificate verification when using secured SSL connection. A man-in-the-middle (MiTM) attacker could use this flaw to spoof Bugzilla server via an arbitrary certificate. Credit: This issue was discovered by Florian Weimer of the Red Hat Product Security Team. CVE id: CVE-2013-2191 has been assigned to this issue Relevant upstream patch: https://git.fedorahosted.org/cgit/python-bugzilla.git/commit/?id=a782282ee479ba4cc1b8b1d89700ac630ba83eef References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2191
@jan: Have fun
bugbot adjusting priority
AFAICT, upstream is days from releasing 0.9.0 i'll wait with Factory update for that do we want backports for old distributions?
We need to get this fixed for openSUSE (12.2/12.3). Is a backport for this feasible from your point of view?
0.9.0 is out by the way. https://fedorahosted.org/releases/p/y/python-bugzilla/python-bugzilla-0.9.0.tar.gz
New version submitted to Factory. I'd like a version update for 12.3 also, if possible. For 12.2... well. Backport of upstream solution is definitely not feasible (too many changes between 0.6 and 0.9), but i might be able to fix the bug in a different way. And of course, if we could do a version update too, that would be nice ;e)
This is an autogenerated message for OBS integration: This bug (825876) was mentioned in https://build.opensuse.org/request/show/181190 Factory / python-bugzilla
From the maintenance side a version update is possible, _BUT_ it should not change existing functionality so that e.g. the current use of python-bugzilla inside scripts would break. What is your assessment of the functional stability? Iff it is stable then please provide submissions for 12.2 and 12.3.
Oh, that makes sense. There is a high risk of backwards-incompatible changes, so i'll just fix this withou version update.
submitted patches to 12.3 and 12.2, handing over to security
This is an autogenerated message for OBS integration: This bug (825876) was mentioned in https://build.opensuse.org/request/show/181324 Maintenance / https://build.opensuse.org/request/show/181325 Maintenance /
This is an autogenerated message for OBS integration: This bug (825876) was mentioned in https://build.opensuse.org/request/show/181531 Maintenance /
This is an autogenerated message for OBS integration: This bug (825876) was mentioned in https://build.opensuse.org/request/show/181562 Evergreen:11.2 / python-bugzilla
openSUSE-SU-2013:1154-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 825876 CVE References: CVE-2013-2191 Sources used: openSUSE 12.3 (src): python-bugzilla-0.6.2-8.4.1 openSUSE 12.2 (src): python-bugzilla-0.6.2-6.4.1
openSUSE-SU-2013:1155-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 825876 CVE References: CVE-2013-2191 Sources used: openSUSE 11.4 (src): python-bugzilla-0.6.2-13.1
no sle versions, so all done.
This is an autogenerated message for OBS integration: This bug (825876) was mentioned in https://build.opensuse.org/request/show/182786 Evergreen:11.2 / python-bugzilla