CVE-2014-9365

Name of the Vulnerable Software and Affected Versions CPython versions 2.x prior to 2.7.9 CPython versions 3.x prior to 3.4.3

Description The issue concerns the HTTP clients in several libraries, including httplib, urllib, urllib2, and xmlrpclib, which do not properly verify the SSL certificate when accessing an HTTPS URL. Specifically, they fail to check the certificate against a trust store or ensure that the server hostname matches a domain name in the subject's Common Name or subjectAltName field of the X.509 certificate. This oversight allows man-in-the-middle attackers to spoof SSL servers using an arbitrary valid certificate.

Recommendations For CPython versions 2.x prior to 2.7.9, update to version 2.7.9 or later to resolve the issue. For CPython versions 3.x prior to 3.4.3, update to version 3.4.3 or later to resolve the issue.