CVE-2014-1830

Advisory

Requesocks (a fork of requests package, working with socks proxy) is vulnerable to CVE-2014-1830.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

-------------------

* CVE-2016-9015. Users who are using urllib3 version 1.17 or 1.18 along with
PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This
release fixes a vulnerability whereby urllib3 in the above configuration
would silently fail to validate TLS certificates due to erroneously setting
invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous
flags do not cause a problem in OpenSSL versions before 1.1.0, which
interprets the presence of any flag as requesting certificate validation.

There is no PR for this patch, as it was prepared for simultaneous disclosure
and release. The master branch received the same fix in PR 1010.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830
• https://github.com/kennethreitz/requests/issues/1885
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108
• http://www.debian.org/security/2015/dsa-3146
• http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
• http://advisories.mageia.org/MGASA-2014-0409.html
• http://lists.opensuse.org/opensuse-updates/2016-01/msg00095.html