Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

python3: CVE-2013-2099: ssl.match_hostname() trips over crafted wildcard

Related Vulnerabilities: CVE-2013-2099  

Source

Debian Bug report logs - #708530
python3: CVE-2013-2099: ssl.match_hostname() trips over crafted wildcard

version graph

Package: python3.3; Maintainer for python3.3 is (unknown);

Reported by: Henri Salo <henri@nerv.fi>

Date: Thu, 16 May 2013 13:04:55 UTC

Severity: normal

Tags: fixed-upstream, security

Found in version python3.3/3.3.1-1

Fixed in version python3.3/3.3.2-3

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugs.python.org/issue17980

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#708530; Package python3. (Thu, 16 May 2013 13:04:59 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (Thu, 16 May 2013 13:04:59 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: python3: CVE-2013-2099: ssl.match_hostname() trips over crafted wildcard
Date: Thu, 16 May 2013 16:03:15 +0300
[Message part 1 (text/plain, inline)]
Package: python3
Version: 3.2.3-6
Severity: normal
Tags: security

CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6
Upstream: http://bugs.python.org/issue17980

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'python3' to 'python3.3'. Request was from Piotr Ożarowski <piotr@debian.org> to control@bugs.debian.org. (Thu, 16 May 2013 13:15:07 GMT) (full text, mbox, link).

No longer marked as found in versions python3-defaults/3.2.3-6. Request was from Piotr Ożarowski <piotr@debian.org> to control@bugs.debian.org. (Thu, 16 May 2013 13:15:08 GMT) (full text, mbox, link).

Marked as found in versions python3.3/3.3.1-1. Request was from Piotr Ożarowski <piotr@debian.org> to control@bugs.debian.org. (Thu, 16 May 2013 13:15:09 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'http://bugs.python.org/issue17980'. Request was from Piotr Ożarowski <piotr@debian.org> to control@bugs.debian.org. (Thu, 16 May 2013 13:15:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#708530; Package python3.3. (Mon, 20 May 2013 15:21:04 GMT) (full text, mbox, link).

Message #16 received at 708530@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 708530@bugs.debian.org
Cc: Henri Salo <henri@nerv.fi>, linkchecker@packages.debian.org, python-bzrlib@packages.debian.org, python-tornado@packages.debian.org, python-urllib3@packages.debian.org, w3af-console@packages.debian.org
Subject: Re: Bug#708530: python3: CVE-2013-2099: ssl.match_hostname() trips over crafted wildcard
Date: Mon, 20 May 2013 17:18:43 +0200
Control: clone -1 -2 -3 -4 -5 -6 -7
Control: reassign -2 python2.7 2.7.3-11
Control: retitle -2 python2.7: possible abuse of ssl.match_hostname() for DoS usings certs with many wildcards
Control: reassign -3 linkchecker
Control: retitle -3 linkchecker: possible abuse of match_hostname() for DoS usings certs with many wildcards
Control: reassign -4 python-bzrlib
Control: retitle -4 python-bzrlib: possible abuse of match_hostname() for DoS usings certs with many wildcards
Control: reassign -5 src:python-tornado
Control: retitle -5 python(3)-tornado: possible abuse of match_hostname() for DoS usings certs with many wildcards
Control: reassign -6 src:python-urllib
Control: retitle -6 python(3)-urllib3: possible abuse of match_hostname() for DoS usings certs with many wildcards
Control: reassign -7 w3af-console
Control: retitle -7 w3af-console: possible abuse of match_hostname() for DoS usings certs with many wildcards

* Henri Salo <henri@nerv.fi>, 2013-05-16, 16:03:
>CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6
>Upstream: http://bugs.python.org/issue17980

Unfortunately, we have quite a few embedded copies of this code. :(

-- 
Jakub Wilk

Bug 708530 cloned as bugs 709066, 709067, 709068, 709069, 709070, 709071 Request was from Jakub Wilk <jwilk@debian.org> to 708530-submit@bugs.debian.org. (Mon, 20 May 2013 15:21:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 20 May 2013 17:15:24 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#708530; Package python3.3. (Thu, 23 May 2013 15:21:04 GMT) (full text, mbox, link).

Message #23 received at 708530@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 708530@bugs.debian.org
Cc: Henri Salo <henri@nerv.fi>, zeroinstall-injector@packages.debian.org, python-u1db@packages.debian.org, pymongo@packages.debian.org
Subject: Re: Bug#708530: python3: CVE-2013-2099: ssl.match_hostname() trips over crafted wildcard
Date: Thu, 23 May 2013 17:16:51 +0200
Control: clone -1 -2 -3 -4
Control: reasssign -2 zeroinstall-injector
Control: retitle -2 zeroinstall-injector: possible abuse of ssl_match_hostname() for DoS usings certs with many wildcards
Control: reasssign -3 python-u1db
Control: retitle -3 python-u1db: possible abuse of ssl_match_hostname() for DoS usings certs with many wildcards
Control: reasssign -4 src:pymongo
Control: retitle -4 python(3)-pymongo: possible abuse of ssl_match_hostname() for DoS usings certs with many wildcards
Control: found -4 2.5-1

* Jakub Wilk <jwilk@debian.org>, 2013-05-20, 17:18:
>* Henri Salo <henri@nerv.fi>, 2013-05-16, 16:03:
>>CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6
>>Upstream: http://bugs.python.org/issue17980
>
>Unfortunately, we have quite a few embedded copies of this code. :(

I've found a few more...

-- 
Jakub Wilk

Bug 708530 cloned as bugs 709485, 709486, 709487 Request was from Jakub Wilk <jwilk@debian.org> to 708530-submit@bugs.debian.org. (Thu, 23 May 2013 15:21:04 GMT) (full text, mbox, link).

Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Tue, 28 May 2013 01:51:23 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 28 May 2013 01:51:23 GMT) (full text, mbox, link).

Message #30 received at 708530-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>
To: 708530-close@bugs.debian.org
Subject: Bug#708530: fixed in python3.3 3.3.2-3
Date: Tue, 28 May 2013 01:48:47 +0000
Source: python3.3
Source-Version: 3.3.2-3

We believe that the bug you reported is fixed in the latest version of
python3.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 708530@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python3.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 27 May 2013 20:44:03 +0200
Source: python3.3
Binary: python3.3 libpython3.3-stdlib python3.3-minimal libpython3.3-minimal libpython3.3 python3.3-examples python3.3-dev libpython3.3-dev libpython3.3-testsuite idle-python3.3 python3.3-doc python3.3-dbg libpython3.3-dbg
Architecture: source all amd64
Version: 3.3.2-3
Distribution: unstable
Urgency: low
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description: 
 idle-python3.3 - IDE for Python (v3.3) using Tkinter
 libpython3.3 - Shared Python runtime library (version 3.3)
 libpython3.3-dbg - Debug Build of the Python Interpreter (version 3.3)
 libpython3.3-dev - Header files and a static library for Python (v3.3)
 libpython3.3-minimal - Minimal subset of the Python language (version 3.3)
 libpython3.3-stdlib - Interactive high-level object-oriented language (version 3.3)
 libpython3.3-testsuite - Testsuite for the Python standard library (v3.3)
 python3.3  - Interactive high-level object-oriented language (version 3.3)
 python3.3-dbg - Debug Build of the Python Interpreter (version 3.3)
 python3.3-dev - Header files and a static library for Python (v3.3)
 python3.3-doc - Documentation for the high-level object-oriented language Python
 python3.3-examples - Examples for the Python language (v3.3)
 python3.3-minimal - Minimal subset of the Python language (version 3.3)
Closes: 708530 709888 709963
Changes: 
 python3.3 (3.3.2-3) unstable; urgency=low
 .
   * Update to 20130527 from the 3.3 branch.
     - Fix #17980, possible abuse of ssl.match_hostname() for denial of service
       using certificates with many wildcards (CVE-2013-2099). Closes: #708530.
   * Disable the test_io test on armel, armhf, mips, mipsel. Hangs the
     buildds.
   * Don't try to byte-compile sitecustomize.py if the target of the
     symlink doesn't exist anymore. Addresses: #709157.
   * Fix directory removal in maintainer scripts. Closes: #709963.
   * Handle byte compilation in python3.3{-minimal,}, byte removal in
     libpython3.3{-minimal,-stdlib}.
   * Backport patch to fix issue #13146, possible race conditions when writing
     .pyc/.pyo files in py_compile.py (Barry Warsaw). LP: #1058884.
   * Mark all _Py_dg_* symbols as optional on m68k. Closes: #709888.
Checksums-Sha1: 
 5e1bb573cf6d830622438d9955512f841fcf7a9e 2334 python3.3_3.3.2-3.dsc
 94f04a578157818ce4a3e68898164a55d5abb152 269654 python3.3_3.3.2-3.diff.gz
 a50d512821033d0cef6c8876124132761af8a0de 404114 python3.3-examples_3.3.2-3_all.deb
 5dc8f79bf161311cf4cc9ede0fd84844d6520142 4304158 libpython3.3-testsuite_3.3.2-3_all.deb
 f23cd22b6fc4f2e86351e25a435877ddd47cbae4 80550 idle-python3.3_3.3.2-3_all.deb
 b248d7fed5bcbf24b41c9d54d07a553c8b2bdcea 6942374 python3.3-doc_3.3.2-3_all.deb
 612fd809dd583ff12bf82e4a233e65dcce352637 149496 python3.3_3.3.2-3_amd64.deb
 fe17b2fb2e9b6987e581d0a84775e5f439ba2a93 2678558 libpython3.3-stdlib_3.3.2-3_amd64.deb
 d25b903577346237cee38dfc789f7d053a1f931c 1498980 python3.3-minimal_3.3.2-3_amd64.deb
 7b99cbbe1bab363d732ba04585970ff49efa102e 605686 libpython3.3-minimal_3.3.2-3_amd64.deb
 983ef1cc1faf9809dd006f4a809f28cc9c370719 1539390 libpython3.3_3.3.2-3_amd64.deb
 391abce3a4b3c8cbbba140634075a2cd0270014c 361740 python3.3-dev_3.3.2-3_amd64.deb
 55df7646dd95d114ee401b9642cc16f5e943f63f 28387034 libpython3.3-dev_3.3.2-3_amd64.deb
 0cc42706f3c932d00a626fb9292bfc4eae1cc43d 9720102 python3.3-dbg_3.3.2-3_amd64.deb
 8e8071baba834200224831d0c79afb4e15c83e66 8057818 libpython3.3-dbg_3.3.2-3_amd64.deb
Checksums-Sha256: 
 6c3ffd084823dd762719e1b4091c2858989c31ea8e021b7480469211688fe295 2334 python3.3_3.3.2-3.dsc
 111c3ffb9b8da69d6b2f8652e64e2c745dbab8e066cc8ccab37db684e74f258c 269654 python3.3_3.3.2-3.diff.gz
 8651b4d9177f1732d0c3bcc22beeb5647dfcb142f145965e0662c9ad389c423c 404114 python3.3-examples_3.3.2-3_all.deb
 154bb636f20a1e513008e7d32a817b082b91319da24e79f1528ad7ea09fc09df 4304158 libpython3.3-testsuite_3.3.2-3_all.deb
 c6be44ebeae60bfd240210ea094c414c1961528c5843df68a757ed19cd0f1f21 80550 idle-python3.3_3.3.2-3_all.deb
 59edf5c53577e319b2cdd37ba2b2cfdd409b073b23a43fec1e25ce40a1451be1 6942374 python3.3-doc_3.3.2-3_all.deb
 c3ac5a81a417cc8caa5a25615184770762b4207f13fcec211bb982bf7a80756b 149496 python3.3_3.3.2-3_amd64.deb
 43d1059ab87ba778fb4db048a0c39d9d3255bddee642dcf049ea68973d3fe2b2 2678558 libpython3.3-stdlib_3.3.2-3_amd64.deb
 96ef6a7383f65df708fdbd4f666042a5df448b0ab840a7a2ed4f7629091a8844 1498980 python3.3-minimal_3.3.2-3_amd64.deb
 381f62c1bfb997aa2bca0bf9e316fb9b915bee87290584d79108aa94fd3959df 605686 libpython3.3-minimal_3.3.2-3_amd64.deb
 0609a77a4d348b6efa0d0c1c24b18679b5d92d4b0e527cbe0a1c8544c878ef9e 1539390 libpython3.3_3.3.2-3_amd64.deb
 0a9f24c01f08000e4086ca10e8c368202f670291783427fa5cb4c92077a99065 361740 python3.3-dev_3.3.2-3_amd64.deb
 7fad7ea27ae307fca929de1f3176d29f8a94dc5e024d5a9c2eba1749c9e28a28 28387034 libpython3.3-dev_3.3.2-3_amd64.deb
 a3e84048fc23e910aec6468f46e33db2887c1c7884c251e8842085edbe34cfc5 9720102 python3.3-dbg_3.3.2-3_amd64.deb
 6bc335c1f1cc68979abfb32c909f78ed6a1a4496fc5f547f234f540c371fc863 8057818 libpython3.3-dbg_3.3.2-3_amd64.deb
Files: 
 7a23ceaaf3e3d0618ba66e5d1efe6803 2334 python optional python3.3_3.3.2-3.dsc
 3148c03c0de5718406147a13d99f5cbd 269654 python optional python3.3_3.3.2-3.diff.gz
 2a97b58333648952ce8e3d34a4477607 404114 python optional python3.3-examples_3.3.2-3_all.deb
 f7f4c07f16af9d348aeb0423e1cf0690 4304158 libdevel optional libpython3.3-testsuite_3.3.2-3_all.deb
 cd8801b86d91f277c2171f07022cd5e5 80550 python optional idle-python3.3_3.3.2-3_all.deb
 d442b65b0441fefa3027f55bc8514c22 6942374 doc optional python3.3-doc_3.3.2-3_all.deb
 a7d0dcb194e3a73c7ebf44c00233690f 149496 python optional python3.3_3.3.2-3_amd64.deb
 de448cfd05fc8f2a24c66132e65f3cb1 2678558 python optional libpython3.3-stdlib_3.3.2-3_amd64.deb
 ca882ca60e7f3445c82583694dd1a514 1498980 python optional python3.3-minimal_3.3.2-3_amd64.deb
 383cdc3c9d9860197870665051e2f5d7 605686 python optional libpython3.3-minimal_3.3.2-3_amd64.deb
 d43792bc9296805ef339ddff19f0090a 1539390 libs optional libpython3.3_3.3.2-3_amd64.deb
 a16a065be1a8816a89fd68c5fe8978d8 361740 python optional python3.3-dev_3.3.2-3_amd64.deb
 5d9a6334ffe99b61c44cbcf94f661328 28387034 libdevel optional libpython3.3-dev_3.3.2-3_amd64.deb
 43f00594e5853399500ef56a16262348 9720102 debug extra python3.3-dbg_3.3.2-3_amd64.deb
 ff8099a2e9f96d89f0eec7aa6e541314 8057818 debug extra libpython3.3-dbg_3.3.2-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGkCRwACgkQStlRaw+TLJwAfwCfeBv20KkS5Knb63tR/17VtAG3
iysAnRdzi3WXsXym1M9xZD/d1feBakmI
=HkZ7
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Jul 2013 07:28:22 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:53:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started