oss-sec mailing list archives

Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes

From: Brian Cameron <brian.cameron () oracle com>
Date: Thu, 15 Aug 2013 17:23:29 -0500


I notice the upstream bug has patches for many versions of Python, but
not for Python 2.6.  Will a Python 2.6 patch be provided, or is it a
reasonable fix to just backport the patched 2.7 files to 2.6 directly?

Thanks,

---

Brian


On 08/12/13 09:55 PM, Kurt Seifried wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/12/2013 08:37 PM, Murray McAllister wrote:

Good morning,

An issue similar to CVE-2013-4073[1] was found in Python:

https://bugs.mageia.org/show_bug.cgi?id=10989
http://bugs.python.org/issue18709

Could a CVE for the Python instance of this flaw please be assigned
(if one has not already been assigned)?

Thanks.

[1]
<http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/>



<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4073>

-- Murray McAllister / Red Hat Security Response Team


Yup just to be clear: CVE-2013-4073 is for Ruby. Python needs a new
CVE (different code base and all that).

Please use CVE-2013-4238 for this issue in Python.

- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSCaAxAAoJEBYNRVNeJnmTqNYP/10PaxPrr6YJDT0W+Dwmjjp3
yHiY0kJ1pjHgIiGKEqRkBv5+05c9cn9LKES1Kj+CePFiiq1VEO+28z/y6PhQBg8b
0Ifad4ph5+SAhYthj9M7JzwXMSVmuCXNtGHQRkgSD72Xkn4Rgqj6vYaixCdbkSpO
qvMkKhBDcde57rTrdnifs3w4EUKWi2eVkRMuN2twPQLOx6MiB/EKKFLqxR69LtZo
qOd40LBqoEWtR3/J7C3oZkqYK26lAn7mnaTY67mPIuG78SGU9aFxe/AYwQ4pmb2Q
k3fT73xNyoUyajYq+QfrqwNHkwk1sGtev6M6+ltgovN0ymZmUdIsYgBDEPJqaUSk
D1ut2LOndsYomlCfEhvdOWWunG6V63qTsMdOy1z9fBh2evggNKedPpCNIWb6IG6t
Lq3P67pzg+C2Auiv/m6hw6Q/ptUPt4N0/RgKReFtUqqEAjznUAarl4ldP1egL/W7
4yFsIXqkTIcVExLcUYXlh5y1vfIUgl21xOp78u5Qtdhq1Mj7kobp3/uuFbbxFdtM
tCgAnwRayVTwKQY1MQX1R3qRAArLvzAy0jI/bAfls11oRFJ9B2ZCoq31kUlUnEYj
Cwvg3nrpl/Qyn1gpgaRNQT/RnSIi2ygKmPLd3nbXvpdlV9jQwqECSZk/mtBlLbxB
oH8DuHHxhUqapitBg6LL
=V3F8
-----END PGP SIGNATURE-----

Current thread:

CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Murray McAllister (Aug 12)
- Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Kurt Seifried (Aug 12)
  - Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Brian Cameron (Aug 15)
    - Re: [PSRT] [oss-security] CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Christian Heimes (Aug 15)