PYSEC-2014-81

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/httplib2/PYSEC-2014-81.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2014-81

Aliases

CVE-2013-2037
GHSA-q48q-77qv-cf9p

Published

2014-01-18T21:55:00Z

Modified

2024-04-29T11:57:03.013016Z

Summary

[none]

Details

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

http://www.ubuntu.com/usn/USN-1948-1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602
http://seclists.org/oss-sec/2013/q2/257
http://code.google.com/p/httplib2/issues/detail?id=282
https://bugs.launchpad.net/httplib2/+bug/1175272
http://www.securityfocus.com/bid/52179

Affected packages

PyPI / httplib2

Package

Name: httplib2; View open source insights on deps.dev
Purl: pkg:pypi/httplib2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9

Affected versions

0.*

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.8