oss-sec mailing list archives
Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters }
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 22 May 2013 01:08:36 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/20/2013 01:21 PM, Tomas Hoger wrote:
On Wed, 15 May 2013 19:51:38 -0600 Kurt Seifried wrote:On 05/15/2013 05:28 AM, Jan Lieskovsky wrote:Replying to myself here. Issue is present in Python 3.2 code too - so the CVE should be allocated for the original (Python 3.2) code, rather than to python-backports-ssl_match_hostname package....Please use CVE-2013-2099 for this issue.There should be no need for two separate CVEs for this issue. Problematic match_hostname was developed in Python 3. As its functionality is needed by Python 2 users, and it is not provided by the standard library, Python 3 implementation was made available via different module. It's the same code, packaged in python (3.x) and python-backports-ssl_match_hostname packages. The same CVE should apply to both. Given that CVE-2013-2099 was assigned to Python 3 ssl, CVE-2013-2098 seems like the one to reject as dupe.
My reasoning here was that Python 2 and 3 constitute "forked" or separate code bases, so fall under CVE SPLIT.evidence includes: 1) Python 2to3, a lot of Python code needs work to move from 2 to 3 2) This feature was added as standard in Python 3 and then later back ported to 2 Steve, can we get a referees decision here? Thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRnG70AAoJEBYNRVNeJnmTpEYP/jfly9dWKELpKrVdjXr7pKaU KxwJSr2PlNA0p0vN91ESKZYsCBcGV/jnPU8YqhyW6WiFbTcpM7s8Kv7QGN+urQkB NK0R7QNcZHb0e7/5NGkMyVFHZMivICsyOpjn8RgX39CC+OypjLCVln5cBctKvBvF uYjf1GNOVW3EImTxGDa6xe04pqXRW1+g9E4jwaeDLNQSaB60j4QU2XmoSwsxvcor LH2OAU3ZTaGztxLzQHfptaqV8XzeWvR8lRKduFcI8Yo6Y0peicBkTirzitLC+vDi ZD6WX+ru7pyxNlMwfIss7H+xXQon/zCZO8Q8DTRGRTweLSMGyzVh7I2h6Xx2PfMo 2JFTJP6mEokPa9OEHZdEwkfwQGFGG2vKemrKgu7Ya+sDoNmSpNmU3jQAefUClW0b 1FGVGB2Q2gg4v2ZXyYGWSoYVBb9+Bg/d4eaJjNr2OxJh7Xlgc26f1aa9pbka6Xg/ M5sgMQwMD8ZMSuX2SY0RbiAcswQDbb5MWzcJZaeTsSqRZ5aEh+4y0VdMHAoXyiSm +P6NcKQHYgOP/lnR7CRYjy6PgGVGW00RK0bufpR3bVbKLRAwbomVpyicJkreQag5 dO2RTGTdUnYdyFkvXUGGjrYrDi28yNt9ELn5N0fv3ChwK+dYJBMnxcQF2tIgyI9g UdInSDJvngF8rE2QhQ0+ =tg8P -----END PGP SIGNATURE-----
Current thread:
- CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters Jan Lieskovsky (May 15)
- CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Jan Lieskovsky (May 15)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 15)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 20)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 22)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 23)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 15)
- CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Jan Lieskovsky (May 15)