oss-sec mailing list archives
Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 12 Aug 2013 20:55:46 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/2013 08:37 PM, Murray McAllister wrote:
Good morning, An issue similar to CVE-2013-4073[1] was found in Python: https://bugs.mageia.org/show_bug.cgi?id=10989 http://bugs.python.org/issue18709 Could a CVE for the Python instance of this flaw please be assigned (if one has not already been assigned)? Thanks. [1] <http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/> <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4073> -- Murray McAllister / Red Hat Security Response Team
Yup just to be clear: CVE-2013-4073 is for Ruby. Python needs a new CVE (different code base and all that). Please use CVE-2013-4238 for this issue in Python. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSCaAxAAoJEBYNRVNeJnmTqNYP/10PaxPrr6YJDT0W+Dwmjjp3 yHiY0kJ1pjHgIiGKEqRkBv5+05c9cn9LKES1Kj+CePFiiq1VEO+28z/y6PhQBg8b 0Ifad4ph5+SAhYthj9M7JzwXMSVmuCXNtGHQRkgSD72Xkn4Rgqj6vYaixCdbkSpO qvMkKhBDcde57rTrdnifs3w4EUKWi2eVkRMuN2twPQLOx6MiB/EKKFLqxR69LtZo qOd40LBqoEWtR3/J7C3oZkqYK26lAn7mnaTY67mPIuG78SGU9aFxe/AYwQ4pmb2Q k3fT73xNyoUyajYq+QfrqwNHkwk1sGtev6M6+ltgovN0ymZmUdIsYgBDEPJqaUSk D1ut2LOndsYomlCfEhvdOWWunG6V63qTsMdOy1z9fBh2evggNKedPpCNIWb6IG6t Lq3P67pzg+C2Auiv/m6hw6Q/ptUPt4N0/RgKReFtUqqEAjznUAarl4ldP1egL/W7 4yFsIXqkTIcVExLcUYXlh5y1vfIUgl21xOp78u5Qtdhq1Mj7kobp3/uuFbbxFdtM tCgAnwRayVTwKQY1MQX1R3qRAArLvzAy0jI/bAfls11oRFJ9B2ZCoq31kUlUnEYj Cwvg3nrpl/Qyn1gpgaRNQT/RnSIi2ygKmPLd3nbXvpdlV9jQwqECSZk/mtBlLbxB oH8DuHHxhUqapitBg6LL =V3F8 -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Murray McAllister (Aug 12)
- Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Kurt Seifried (Aug 12)