Summary: | <dev-lang/python:{3.2.5-r1,3.3.2-r1}: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns (CVE-2013-2099) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=963260 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() Don't know who inserted the Python 3000 mention here, but that codename is long gone and certainly doesn't make sense in this kind of message. </grumpy> Upstream patches available for 3.2 [1] and 3.3 [2]. [1] http://hg.python.org/cpython/rev/b9b521efeba3 [2] http://hg.python.org/cpython/rev/c627638753e2 Thanks. I'll work on backporting them. +*python-3.2.5-r1 (03 Jul 2013) +*python-3.3.2-r1 (03 Jul 2013) + + 03 Jul 2013; Mike Gilbert <floppym@gentoo.org> + +files/python-3.2-CVE-2013-2099.patch, +files/python-3.3-CVE-2013-2099.patch, + +python-3.2.5-r1.ebuild, +python-3.3.2-r1.ebuild: + Add patch to fix CVE-2013-2099, bug 469988. We can stabilize python-3.2.5-r1. python-3.3* is not stable yet, so skip it. Sounds good to me. Arches, please stable =dev-lang/python-3.2.5-r1, target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86. Thanks! amd64 stable x86 stable ppc stable Stable for HPPA. ppc64 stable alpha stable arm stable ia64 stable sh stable sparc stable s390 stable +*python-3.3.2-r2 (18 Aug 2013) + + 18 Aug 2013; Mike Gilbert <floppym@gentoo.org> + +files/CVE-2013-4073_py33.patch, +python-3.3.2-r2.ebuild: + Use Arfrever's patchset, bug 354877. Apply fix for CVS-2013-4238, bug 480856. (In reply to Mike Gilbert from comment #17) Sorry, wrong bug. m68k timeout. @maintainers: please clean up affected versions, but leave the latest stable m68k version, drop all other keywords. GLSA request filed. (In reply to Chris Reffett from comment #19) Gentoo Council on 2013-09-17 destabilized whole m68k architecture. Okay then. @maintainers: cleanup. CVE-2013-2099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2099): Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. Maintainer(s), Thank you for your work! Added to existing GLSA draft. This issue was resolved and addressed in GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml by GLSA coordinator Sergey Popov (pinkbyte). |