oss-sec mailing list archives
Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes
From: Brian Cameron <brian.cameron () oracle com>
Date: Thu, 15 Aug 2013 17:23:29 -0500
I notice the upstream bug has patches for many versions of Python, but not for Python 2.6. Will a Python 2.6 patch be provided, or is it a reasonable fix to just backport the patched 2.7 files to 2.6 directly? Thanks, --- Brian On 08/12/13 09:55 PM, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/2013 08:37 PM, Murray McAllister wrote:Good morning, An issue similar to CVE-2013-4073[1] was found in Python: https://bugs.mageia.org/show_bug.cgi?id=10989 http://bugs.python.org/issue18709 Could a CVE for the Python instance of this flaw please be assigned (if one has not already been assigned)? Thanks. [1] <http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/> <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4073> -- Murray McAllister / Red Hat Security Response TeamYup just to be clear: CVE-2013-4073 is for Ruby. Python needs a new CVE (different code base and all that). Please use CVE-2013-4238 for this issue in Python. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSCaAxAAoJEBYNRVNeJnmTqNYP/10PaxPrr6YJDT0W+Dwmjjp3 yHiY0kJ1pjHgIiGKEqRkBv5+05c9cn9LKES1Kj+CePFiiq1VEO+28z/y6PhQBg8b 0Ifad4ph5+SAhYthj9M7JzwXMSVmuCXNtGHQRkgSD72Xkn4Rgqj6vYaixCdbkSpO qvMkKhBDcde57rTrdnifs3w4EUKWi2eVkRMuN2twPQLOx6MiB/EKKFLqxR69LtZo qOd40LBqoEWtR3/J7C3oZkqYK26lAn7mnaTY67mPIuG78SGU9aFxe/AYwQ4pmb2Q k3fT73xNyoUyajYq+QfrqwNHkwk1sGtev6M6+ltgovN0ymZmUdIsYgBDEPJqaUSk D1ut2LOndsYomlCfEhvdOWWunG6V63qTsMdOy1z9fBh2evggNKedPpCNIWb6IG6t Lq3P67pzg+C2Auiv/m6hw6Q/ptUPt4N0/RgKReFtUqqEAjznUAarl4ldP1egL/W7 4yFsIXqkTIcVExLcUYXlh5y1vfIUgl21xOp78u5Qtdhq1Mj7kobp3/uuFbbxFdtM tCgAnwRayVTwKQY1MQX1R3qRAArLvzAy0jI/bAfls11oRFJ9B2ZCoq31kUlUnEYj Cwvg3nrpl/Qyn1gpgaRNQT/RnSIi2ygKmPLd3nbXvpdlV9jQwqECSZk/mtBlLbxB oH8DuHHxhUqapitBg6LL =V3F8 -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Murray McAllister (Aug 12)
- Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Kurt Seifried (Aug 12)
- Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Brian Cameron (Aug 15)
- Re: CVE Request -- Python SSL module does not handle certificates that contain hostnames with NULL bytes Kurt Seifried (Aug 12)