tweepy: CVE-2012-5825 Fail to verify hostname against X.509 certificate

Debian Bug report logs - #692444
tweepy: CVE-2012-5825 Fail to verify hostname against X.509 certificate

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tweepy: CVE-2012-5821

Date: Tue, 06 Nov 2012 12:07:01 +0100

Package: tweepy
Severity: important
Tags: security
Justification: user security hole

Please see Section 9 of this paper:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Cheers,
        Moritz

Message #14 received at 692444@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <miguel@miguel.cc>

To: 692444@bugs.debian.org

Cc: Debian Bug Tracking System <control@bugs.debian.org>

Subject: Re: tweepy: CVE-2012-5821

Date: Tue, 14 May 2013 16:32:53 -0300

[Message part 1 (text/plain, inline)]

tags 692444 + confirmed
thanks

The issue is confirmed by upstream. Please see:
https://github.com/tweepy/tweepy/issues/279#issuecomment-17898339

The current status for this bug is waiting for resolution from upstream.

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at
http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

[Message part 2 (text/html, inline)]

Message #21 received at 692444@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <nomadium@debian.org>

To: 692444@bugs.debian.org

Subject: Re: tweepy: CVE-2012-5821

Date: Mon, 1 Dec 2014 11:34:38 -0300

[Message part 1 (text/plain, inline)]

Upstream claims to have fixed this in their 3.0.0 release.

https://github.com/tweepy/tweepy/issues/279#issuecomment-65017673

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche

[signature.asc (application/pgp-signature, inline)]

Message #26 received at 692444-close@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <nomadium@debian.org>

To: 692444-close@bugs.debian.org

Subject: Bug#692444: fixed in tweepy 3.1.0-1

Date: Sun, 14 Dec 2014 19:04:24 +0000

Source: tweepy
Source-Version: 3.1.0-1

We believe that the bug you reported is fixed in the latest version of
tweepy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <nomadium@debian.org> (supplier of updated tweepy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 14 Dec 2014 14:51:37 -0300
Source: tweepy
Binary: python-tweepy python-tweepy-doc
Architecture: source all
Version: 3.1.0-1
Distribution: experimental
Urgency: low
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <nomadium@debian.org>
Description:
 python-tweepy - Twitter library for Python
 python-tweepy-doc - Documentation for python-tweepy module
Closes: 692444
Changes:
 tweepy (3.1.0-1) experimental; urgency=low
 .
   * New upstream release. (Closes: #692444).
     Since 3.0.0 release a fix for security vulnerability CVE-2012-5821
     is included.
   * Bump Standards-Version to 3.9.6. No changes were required.
   * Update copyright file.
   * Drop 01_use_python_oauth.diff patch. Upstream doesn't use python-auth
     library anymore.
   * Simplify d/rules file.
   * Bump dependency on debhelper to v9.
   * Add B-D on python-pip, python-requests-oauthlib and dh-python.
Checksums-Sha1:
 32bb73b558f610d2c67aea8bf5bacf48b6114287 2133 tweepy_3.1.0-1.dsc
 7163763781aa23a4e1e2540e920fc77af8b854c4 597193 tweepy_3.1.0.orig.tar.gz
 74a0c6b8b13f531dd93c55091daeeff9d4ffb7c0 3212 tweepy_3.1.0-1.debian.tar.xz
 16a51bee6d6f6304c5327e9caf05f3f8d874feab 25436 python-tweepy_3.1.0-1_all.deb
 62c7538771a17b3c4185037a5e8ff2ec4d45246f 54246 python-tweepy-doc_3.1.0-1_all.deb
Checksums-Sha256:
 7eb850dfc72310f7a52d343d9390d2c4ac5d2ec7a8e398b55f691ef22c325dfe 2133 tweepy_3.1.0-1.dsc
 876c53a9e3df04e1866869618f476ffe814bd11f2a165f5ca6a18714d557dd75 597193 tweepy_3.1.0.orig.tar.gz
 4e00b14dd9ea531de98766ba3c0a262a14cb30e80f4607a0f55664e8e32506ed 3212 tweepy_3.1.0-1.debian.tar.xz
 a1496dd2ebeb6c8ca1a033a358c541f7b5ac5e4f32dea563dbb3abe1386dc077 25436 python-tweepy_3.1.0-1_all.deb
 3cb09a1b353a992601b75043203dddf76d35d503bf4124b07e6be30d932a8ed9 54246 python-tweepy-doc_3.1.0-1_all.deb
Files:
 f3d92f4da8b13b6cb85cede4eaef3c4b 2133 python optional tweepy_3.1.0-1.dsc
 358e750d6f865ebe83dbb2bc6e9235f4 597193 python optional tweepy_3.1.0.orig.tar.gz
 a42b927a9dfb8c498dd160e23d1a1d4c 3212 python optional tweepy_3.1.0-1.debian.tar.xz
 fdda5addd2272236b4ada24cac29eea7 25436 python optional python-tweepy_3.1.0-1_all.deb
 809a4cb3ccc86e49b6379e27b1586afb 54246 doc optional python-tweepy-doc_3.1.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJUjdtnAAoJEGIODQuJV82lD4EP/3J47EKf5z3g2glakN5dUIIT
hM+1nRimOzekFiVTBmSQiT1+FNiEFSIl2gS1PWtsJ6xuVKAqlCVh0GwpXZ6kTLIv
O43I+7UW4o+0nJbOLHPOUdglfEPzvokf03I+dleC7PTuRT/qKh4oQyAtWKbOTd+k
h5K/upt2RWkw/fekWXDSLq5YOyCiiTIhn9+USBAKum7RODjIvfkFPudIbEXp4hbn
MVFo6TjOFJxY5gwgFNNxw1xICM1gD2ru7nZn8rj9fOuicY0Wiaq9CRiNsDZcfAa6
aAJdxsc140VEonXHt2NUVlK87Y+bZyn7oRAykJbhW7JwqMjnmSiaQku1wHR5OJTD
RaMt5UHXQHRYiZy5CeD/CEWE/kdshq59madwjDpB0Y05P+p6JoyrXkWNlQpskY5E
uXvt8rC6dChe1Z+YQiiTBJkZ+nVJ7mbyoMR+SNunUua36GeyZU3ItYWUi/kQ1nRy
rngHjVgxGR8CIRiLtsbvDhyH/QZbTb0rasbvGnrZDJW6pZ9Bf8pJiuUuGbOh5NzE
kt1IIYo8LW/KrsLa1d5XzEkgMWL/kl3kbo+YV/mgzPHrruWUsWJ+FSP6edvWmTWU
b7X6XDneA0MoUh4hVKbsaSILJalyF4rFafJn5E0eQMvQLAUMFyWM+f3RvKjNfjB7
p1rKwdQHJ8yUI5dYom1M
=KGwo
-----END PGP SIGNATURE-----

Message #41 received at 692444@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: 692444@bugs.debian.org

Subject: Re: tweepy: CVE-2012-5821

Date: Thu, 9 Jun 2016 13:39:43 +0200

Control: retitle -1 tweepy: CVE-2012-5825 Fail to verify hostname against X.509 certificate

I looked into how to get a fix for this issue into Debian stable (Jessie).
It is easier said than done, as the fix implemented upstream was to rewrite
the HTTPS connection code from using httplib to using eequests, ie a different
python library.  I doubt such change would be accepted by the
release managers, and do not intend to spend more time on it.  Sad to say,
but I believe this security issue will have to stay around in Debian Stable.

See also
<URL: https://security-tracker.debian.org/tracker/CVE-2012-5825 >.

-- 
Happy hacking
Petter Reinholdtsen

Message #50 received at 692444@bugs.debian.org (full text, mbox, reply):

From: "FedEx International Next Flight" <philip.simpson@androidfacts.net>

To: 692444@bugs.debian.org

Subject: Shipment delivery problem #00185155

Date: Fri, 14 Oct 2016 03:39:54 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

Your parcel has arrived at October 11. Courier was unable to deliver the parcel to you.
Delivery Label is attached to this email.

Yours trully,
Philip Simpson,
FedEx Station Manager.

[FedEx_00185155.zip (application/zip, attachment)]

Message #55 received at 692444@bugs.debian.org (full text, mbox, reply):

From: "FedEx SmartPost" <eduardo.forbes@smartpharma.ae>

To: 692444@bugs.debian.org

Subject: Courier was unable to deliver the parcel, ID000206139

Date: Thu, 27 Oct 2016 19:41:47 -0400

[Message part 1 (text/plain, inline)]

Dear Customer,

We could not deliver your parcel.
Shipment Label is attached to email.

Warm regards,
Eduardo Forbes,
Sr. Station Agent.

[Delivery_Notification_000206139.zip (application/zip, attachment)]

Message #60 received at 692444@bugs.debian.org (full text, mbox, reply):

From: "FedEx Standard Overnight" <gordon.stern@sumrallservice.com>

To: 692444@bugs.debian.org

Subject: Problems with item delivery, n.0000905145

Date: Sat, 29 Oct 2016 14:14:19 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

Your parcel has arrived at October 25. Courier was unable to deliver the parcel to you.
Please, open email attachment to print shipment label.

Yours trully,
Gordon Stern,
Sr. Delivery Agent.

[FedEx_ID_0000905145.zip (application/zip, attachment)]

Message #65 received at 692444@bugs.debian.org (full text, mbox, reply):

From: "FedEx 2Day" <br76@pewtrusts.org>

To: <692444@bugs.debian.org>

Subject: Delivery Notification, ID 581742

Date: Tue, 22 Nov 2016 22:16:53 +0300

[Message part 1 (text/plain, inline)]

Hello,
Your parcel has arrived at 22.11.2016. Courier was unable to deliver the parcel to you. Shipment Label is attached to email.
Sharell Alexis - Area Manager FedEx , CA
Yours faithfully

[FedEx.doc (application/msword, attachment)]

Send a report that this bug log contains spam.