oss-sec mailing list archives
Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters }
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 23 May 2013 13:58:27 +0200
On Wed, 22 May 2013 01:08:36 -0600 Kurt Seifried wrote:
Given that CVE-2013-2099 was assigned to Python 3 ssl, CVE-2013-2098 seems like the one to reject as dupe.My reasoning here was that Python 2 and 3 constitute "forked" or separate code bases, so fall under CVE SPLIT.evidence includes: 1) Python 2to3, a lot of Python code needs work to move from 2 to 3 2) This feature was added as standard in Python 3 and then later back ported to 2
There are surely differences in other parts of python code, but in this case, affected functionality is the same in python 3 and python-backports-ssl_match_hostname (the latter just contains a functionality copied from the former). Given that affected code is identical, I don't believe differences in other parts of codebases not related to the flaw should force split. I.e. I'd follow: AB4) If there are multiple products, vendors, distributors, or users of the same core codebase, then DO NOT SPLIT based solely on distinguishing between products. Additionally, the same code was also found embedded elsewhere: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709066#16 https://bugzilla.redhat.com/show_bug.cgi?id=963260#c11 I don't think we want to give every project embedding that source a separate CVE id. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters Jan Lieskovsky (May 15)
- CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Jan Lieskovsky (May 15)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 15)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 20)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 22)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 23)
- Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Kurt Seifried (May 15)
- CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Jan Lieskovsky (May 15)