oss-sec mailing list archives
Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters }
From: Tomas Hoger <thoger () redhat com>
Date: Mon, 20 May 2013 21:21:39 +0200
On Wed, 15 May 2013 19:51:38 -0600 Kurt Seifried wrote:
On 05/15/2013 05:28 AM, Jan Lieskovsky wrote:
Replying to myself here. Issue is present in Python 3.2 code too - so the CVE should be allocated for the original (Python 3.2) code, rather than to python-backports-ssl_match_hostname package.
...
Please use CVE-2013-2099 for this issue.
There should be no need for two separate CVEs for this issue. Problematic match_hostname was developed in Python 3. As its functionality is needed by Python 2 users, and it is not provided by the standard library, Python 3 implementation was made available via different module. It's the same code, packaged in python (3.x) and python-backports-ssl_match_hostname packages. The same CVE should apply to both. Given that CVE-2013-2099 was assigned to Python 3 ssl, CVE-2013-2098 seems like the one to reject as dupe. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters Jan Lieskovsky (May 15)
- CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Jan Lieskovsky (May 15)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 15)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 20)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 22)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 23)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 15)
- CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Jan Lieskovsky (May 15)