tags 651204 +patch thanks Le mercredi, 30 mai 2012 11.47:05, Thijs Kinkhorst a écrit : > Hi, > > Wheezy and sid contain a patch for this issue. Squeeze seems still > affected. Are you able to provide an updated package for squeeze?
Would the attached patch do the job for Squeeze? OdyX
From: Till Kamppeter <till.kamppe...@gmail.com> Date: Tue, 13 Dec 2011 20:54:26 +0100 Subject: Fix MITM via unencrypted metadata download Adapted to Squeeze by Didier Raboud <o...@debian.org> on Tue Jul 24 10:09:16 CEST 2012. Closes: #651204 --- cupshelpers/openprinting.py | 35 +++++++++++++++++++++++------------ 1 files changed, 23 insertions(+), 12 deletions(-) --- a/cupshelpers/openprinting.py +++ b/cupshelpers/openprinting.py @@ -19,7 +19,7 @@ ## along with this program; if not, write to the Free Software ## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -import urllib, httplib, platform, threading, tempfile, traceback +import pycurl,urllib, httplib, platform, threading, tempfile, traceback import os, sys from xml.etree.ElementTree import XML from . import Device @@ -42,10 +42,18 @@ self.parameters = parameters self.callback = callback self.user_data = user_data + self.result = "" self.setDaemon (True) def run (self): + + # Callback function for pycURL collecting the data coming from + # the web server + def collect_data(result): + self.result += result; + return len(result) + # CGI script to be executed query_command = "/query.cgi" # Headers for the post request @@ -55,26 +63,26 @@ (urllib.urlencode (self.parameters), self.parent.language[0], self.parent.language[0])) - self.url = "http://%s%s?%s" % (self.parent.base_url, query_command, params) + self.url = "https://%s%s?%s" % (self.parent.base_url, query_command, params) # Send request - result = None + self.result = "" status = 1 try: - conn = httplib.HTTPConnection(self.parent.base_url) - conn.request("POST", query_command, params, headers) - resp = conn.getresponse() - status = resp.status - if status == 200: - result = resp.read() - conn.close() + curl = pycurl.Curl() + curl.setopt(pycurl.SSL_VERIFYPEER, 1) + curl.setopt(pycurl.SSL_VERIFYHOST, 2) + curl.setopt(pycurl.WRITEFUNCTION, collect_data) + curl.setopt(pycurl.URL, self.url) + status = curl.perform() + if status == None: status = 0 + if (status != 0): + self.result = sys.exc_info () except: - result = sys.exc_info () - - if status == 200: - status = 0 + self.result = sys.exc_info () + if status == None: status = 0 if self.callback != None: - self.callback (status, self.user_data, result) + self.callback (status, self.user_data, self.result) class OpenPrinting: def __init__(self, language=None):
signature.asc
Description: This is a digitally signed message part.