Bugzilla – Bug 923610
VUL-1: CVE-2015-2674: python-restkit: may not properly validate TLS
Last modified: 2024-05-20 14:15:31 UTC
Via oss-sec http://seclists.org/oss-sec/2015/q1/962 Pythons Restskit does not properly validate TLS (see https://github.com/benoitc/restkit/issues/140). It appears to simply use ssl.wrap_socket from the standard library, which does not do any validation by default. This can be verified by doing: >>> from restkit import request >>> r = request("https://tv.eurosport.com/";) >>> r.body_string() '<HTML><HEAD>...' [..] As far as we can tell, what you mean is that https://docs.python.org/2/library/ssl.html says "the default settings of the ssl module are not necessarily appropriate for your application" and therefore it was the responsibility of the restkit developer to handle validation, because the goals of restkit include completely general access to all https URLs. In other words, it appears that your position is that it is acceptable for ssl.wrap_socket to have cert_reqs=CERT_NONE as a default, because this is fully documented and because there's an easy-to-notice "Warning" paragraph. This seems reasonable (although potentially controversial). Use CVE-2015-2674.
openSUSE:13.1 python-restkit 4.2.1 openSUSE:13.2 python-restkit 4.2.2 openSUSE:Factory python-restkit 4.2.2
bugbot adjusting priority
remains unfixed https://github.com/benoitc/restkit/issues/140