From ${URL} : A denial of service flaw was found in the way SSL module implementation of Python3, version 3 of the Python programming language (aka Python 3000), performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality. Upstream bug report: [1] http://bugs.python.org/issue17980 CVE request: [2] http://www.openwall.com/lists/oss-security/2013/05/15/6 (is for python-backports-ssl_match_hostname, but that code comes from Python 3.2 ssl module implementation) [3] http://www.openwall.com/lists/oss-security/2013/05/15/7 Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security Team @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Don't know who inserted the Python 3000 mention here, but that codename is long gone and certainly doesn't make sense in this kind of message. </grumpy>
Upstream patches available for 3.2 [1] and 3.3 [2]. [1] http://hg.python.org/cpython/rev/b9b521efeba3 [2] http://hg.python.org/cpython/rev/c627638753e2
Thanks. I'll work on backporting them.
+*python-3.2.5-r1 (03 Jul 2013) +*python-3.3.2-r1 (03 Jul 2013) + + 03 Jul 2013; Mike Gilbert <floppym@gentoo.org> + +files/python-3.2-CVE-2013-2099.patch, +files/python-3.3-CVE-2013-2099.patch, + +python-3.2.5-r1.ebuild, +python-3.3.2-r1.ebuild: + Add patch to fix CVE-2013-2099, bug 469988. We can stabilize python-3.2.5-r1. python-3.3* is not stable yet, so skip it.
Sounds good to me. Arches, please stable =dev-lang/python-3.2.5-r1, target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86. Thanks!
amd64 stable
x86 stable
ppc stable
Stable for HPPA.
ppc64 stable
alpha stable
arm stable
ia64 stable
sh stable
sparc stable
s390 stable
+*python-3.3.2-r2 (18 Aug 2013) + + 18 Aug 2013; Mike Gilbert <floppym@gentoo.org> + +files/CVE-2013-4073_py33.patch, +python-3.3.2-r2.ebuild: + Use Arfrever's patchset, bug 354877. Apply fix for CVS-2013-4238, bug 480856.
(In reply to Mike Gilbert from comment #17) Sorry, wrong bug.
m68k timeout. @maintainers: please clean up affected versions, but leave the latest stable m68k version, drop all other keywords. GLSA request filed.
(In reply to Chris Reffett from comment #19) Gentoo Council on 2013-09-17 destabilized whole m68k architecture.
Okay then. @maintainers: cleanup.
CVE-2013-2099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2099): Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.
Maintainer(s), Thank you for your work! Added to existing GLSA draft.
This issue was resolved and addressed in GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml by GLSA coordinator Sergey Popov (pinkbyte).