python-jenkins-developers team mailing list archive

Thread
Date

[Bug 1363189] [NEW] Does not validate TLS certificates allowing trivial MITM.

To: python-jenkins-developers@xxxxxxxxxxxxxxxxxxx
From: David Reid <dreid@xxxxxxxxx>
Date: Fri, 29 Aug 2014 17:44:12 -0000
Reply-to: Bug 1363189 <1363189@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Private security bug reported:

urllib2 does not do any verification of TLS by default and so python-
jenkins is vulnerable to MITM attacks.

The most common solution to this is to switch to http://docs.python-
requests.org/en/latest/ which does this verification by default.

** Affects: python-jenkins
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Python
Jenkins Developers, which is subscribed to Python Jenkins.
https://bugs.launchpad.net/bugs/1363189

Title:
  Does not validate TLS certificates allowing trivial MITM.

Status in Python API for Jenkins:
  New

Bug description:
  urllib2 does not do any verification of TLS by default and so python-
  jenkins is vulnerable to MITM attacks.

  The most common solution to this is to switch to http://docs.python-
  requests.org/en/latest/ which does this verification by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/python-jenkins/+bug/1363189/+subscriptions

Follow ups

[Bug 1363189] [NEW] Does not validate TLS certificates allowing trivial MITM.
From: David Reid, 2014-08-29

References

[Bug 1363189] [NEW] Does not validate TLS certificates allowing trivial MITM.
From: David Reid, 2014-08-29