Summary: | <dev-lang/python-{2.6.8-r3,2.7.5-r2,3.2.5-r2}: Hostname check bypassing vulnerability in SSL module (CVE-2013-4238) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=996381 | ||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-08-13 08:42:32 UTC
+*python-3.3.2-r2 (18 Aug 2013) + + 18 Aug 2013; Mike Gilbert <floppym@gentoo.org> + +files/CVE-2013-4073_py33.patch, +python-3.3.2-r2.ebuild: + Use Arfrever's patchset, bug 354877. Apply fix for CVS-2013-4238, bug 480856. +*python-2.7.5-r2 (18 Aug 2013) +*python-3.2.5-r2 (18 Aug 2013) +*python-2.6.8-r3 (18 Aug 2013) + + 18 Aug 2013; Mike Gilbert <floppym@gentoo.org> + +files/CVE-2013-4238_py26.patch, +files/CVE-2013-4238_py27.patch, + +files/CVE-2013-4238_py32.patch, +files/CVE-2013-4238_py33.patch, + +python-2.6.8-r3.ebuild, +python-2.7.5-r2.ebuild, +python-3.2.5-r2.ebuild, + -files/CVE-2013-4073_py33.patch, python-3.3.2-r2.ebuild: + Apply fix for CVE-2013-4238, bug 480856. + It should be ok to stabilize these. =dev-lang/python-2.6.8-r3 =dev-lang/python-2.7.5-r2 =dev-lang/python-3.2.5-r2 Okay then. Arches, please stabilize the following: =dev-lang/python-2.6.8-r3 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 =dev-lang/python-2.7.5-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 =dev-lang/python-3.2.5-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 (Python team, please correct me if I have any of the stable targets wrong) Stable for HPPA. I guess the evaluation is A here. amd64 stable x86 stable alpha stable arm stable ia64 stable ppc64 stable ppc stable s390 stable sh stable sparc stable m68k isn't a supported security arch, so we can vote while waiting on it. GLSA vote: no (requires too specific circumstances with the crafted certificate) CVE-2013-4238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4238): The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. GLSA vote: no Setting noglsa, waiting for m68k stabilization to close this... M68K is not anymore a stable arch, removing it from the cc list The "no's" have it. Closing noglsa. |