On Fri, Jul 31, 2015 at 12:00:40PM +0200, Guido Günther wrote: > On Fri, Jul 31, 2015 at 09:42:16AM +0100, Daniel P. Berrange wrote: > > On Fri, Jul 31, 2015 at 09:15:13AM +0200, Guido Günther wrote: > > > On Thu, Jul 23, 2015 at 03:57:27PM +0000, Eren Yagdiran wrote: > > > [..snip..] > > > > +def get_url(server, path, headers): > > > > + url = "https://"; + server + path > > > > + debug(" Fetching %s..." % url) > > > > + > > > > + req = urllib2.Request(url=url) > > > > > > This does not seem to do any certificate validation (just in case this > > > ends up in a distro's /usr/bin/ I can already see the CVE forthcoming). > > > > IIUC, with latest python2/3 urllib2 will now do certificate > > validation by default for https urls. > > > > https://bugs.python.org/issue22417 > > Ahh...since last November. Thanks for pointing this out! Should we then > at least check if python is recent enough? Yeah, we could put a version check in there to force new enough python, or at least print a warning if it is a known insecure version. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list