From ${URL} : A flaw was found in the way ssl.match_hostname() from the Python SSL module checked the hostname's identity when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. References: http://bugs.python.org/issue18709 http://bugs.python.org/file31241/CVE-2013-4073_py34.patch http://bugs.python.org/file31242/CVE-2013-4073_py33.patch http://bugs.python.org/file31243/CVE-2013-4073_py27.patch @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
+*python-3.3.2-r2 (18 Aug 2013) + + 18 Aug 2013; Mike Gilbert <floppym@gentoo.org> + +files/CVE-2013-4073_py33.patch, +python-3.3.2-r2.ebuild: + Use Arfrever's patchset, bug 354877. Apply fix for CVS-2013-4238, bug 480856.
+*python-2.7.5-r2 (18 Aug 2013) +*python-3.2.5-r2 (18 Aug 2013) +*python-2.6.8-r3 (18 Aug 2013) + + 18 Aug 2013; Mike Gilbert <floppym@gentoo.org> + +files/CVE-2013-4238_py26.patch, +files/CVE-2013-4238_py27.patch, + +files/CVE-2013-4238_py32.patch, +files/CVE-2013-4238_py33.patch, + +python-2.6.8-r3.ebuild, +python-2.7.5-r2.ebuild, +python-3.2.5-r2.ebuild, + -files/CVE-2013-4073_py33.patch, python-3.3.2-r2.ebuild: + Apply fix for CVE-2013-4238, bug 480856. +
It should be ok to stabilize these. =dev-lang/python-2.6.8-r3 =dev-lang/python-2.7.5-r2 =dev-lang/python-3.2.5-r2
Okay then. Arches, please stabilize the following: =dev-lang/python-2.6.8-r3 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 =dev-lang/python-2.7.5-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 =dev-lang/python-3.2.5-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 (Python team, please correct me if I have any of the stable targets wrong)
Stable for HPPA.
I guess the evaluation is A here.
amd64 stable
x86 stable
alpha stable
arm stable
ia64 stable
ppc64 stable
ppc stable
s390 stable
sh stable
sparc stable
m68k isn't a supported security arch, so we can vote while waiting on it. GLSA vote: no (requires too specific circumstances with the crafted certificate)
CVE-2013-4238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4238): The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
GLSA vote: no Setting noglsa, waiting for m68k stabilization to close this...
M68K is not anymore a stable arch, removing it from the cc list
The "no's" have it. Closing noglsa.
