[Bug 1469653] Re: CVE-2014-0224 not fixed for python-openssl based servers
Tyler Hicks
tyhicks at canonical.com
Thu Jul 2 18:59:09 UTC 2015
Hi Rob - Thanks for the report!
Fortunately, I can't reproduce your findings. I used the Python HTTPS
server found here:
http://dennis.dieploegers.de/creating-a-ssl-http-server-in-python/
I created a cert using:
$ openssl req -new -x509 -keyout server.pem -out server.pem -days 365
-nodes
I then pointed the ssltest at the IP address. It reports:
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
I'll need more info on your Python server before I can proceed. Thanks!
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0224
** Changed in: pyopenssl (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pyopenssl in Ubuntu.
https://bugs.launchpad.net/bugs/1469653
Title:
CVE-2014-0224 not fixed for python-openssl based servers
Status in pyopenssl package in Ubuntu:
Incomplete
Bug description:
When creating a minimal https based server in python using 'from
OpenSSL import SSL' on a fully patched Ubuntu 14.04 system, the
OpenSSL bug as reported in CVE-2014-0224 seems to persist for that
server. A C++ implementation with the same functionality on the same
system does not show such issues so it would appear that its specific
to python-openssl .
The existence of this bug can be validated by running a simple python
based https server that uses the Python OpenSSL module on a public IP
adress and using the web form as provided on
https://www.ssllabs.com/ssltest/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pyopenssl/+bug/1469653/+subscriptions
More information about the foundations-bugs
mailing list