Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#36857 - [python2] security patch for CVE-2013-2098 and CVE-2013-2099
Attached to Project:
Arch Linux
Opened by RbN (RbN) - Tuesday, 10 September 2013, 17:17 GMT
Last edited by Felix Yan (felixonmars) - Thursday, 06 February 2014, 04:11 GMT
Opened by RbN (RbN) - Tuesday, 10 September 2013, 17:17 GMT
Last edited by Felix Yan (felixonmars) - Thursday, 06 February 2014, 04:11 GMT
|
DetailsFrom oss-sec [1]:
> A denial of service flaw was found in the way python-backports-ssl_match_hostname, > an implementation that brings the ssl.match_hostname() function from Python 3.2 to > users of earlier versions of Python, performed matching of the certificate's name > in the case it contained many '*' wildcard characters. A remote attacker, able to > obtain valid certificate [*] with its name containing a lot of '*' wildcard characters, > could use this flaw to cause denial of service (excessive CPU time consumption) by > issuing request to validate that certificate for / in an application using the > python-backports-ssl_match_hostname functionality. CVE-2013-2098 affects python2.7. CVE-2013-2099 affects python3. Other softwares using this code in the repo (bzr and python(2)-tornado) are not affected by this issue in their last version (verified with sources). Upstream bug report [2] Redhat bugzilla [3] Resolution : upstream patch [4] It seems that this patch is used by debian for python2.7 and 3.3 [5]. Not tested References : [1] http://www.openwall.com/lists/oss-security/2013/05/15/6 [2] http://bugs.python.org/issue17980 [3] https://bugzilla.redhat.com/show_bug.cgi?id=963186 [4] http://hg.python.org/cpython/rev/c627638753e2 [5]http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.5-7/ssl.match_hostname.diff |
This task depends upon
Closed by Felix Yan (felixonmars)
Thursday, 06 February 2014, 04:11 GMT
Reason for closing: Not a bug
Thursday, 06 February 2014, 04:11 GMT
Reason for closing: Not a bug
python 3.3.3 as in repo is not vulnerable anymore
python2 2.7.6 is still vulnerable, debian patch for this issue is now http://patch-tracker.debian.org/patch/series/view/python2.7/2.7.6-5/ssl.match_hostname.diff
Debian's patch simply added the function, which doesn't affect our current python 2.7 installation, since it doesn't even have the function.
Original CVE [1] only states this problem for python 3.2/3.3, an unspecified "earlier", and "unspecified versions of python-backports-ssl_match_hostname as used for older Python versions", which was in [community], and the current version 3.4.0.2 have applied the fix.
I guess the "earlier" stands for distributions which patched python with the function before, but that doesn't affect Arch.
Please let me know if I made anything wrong, thanks!
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2099
I didn't dig so far before reporting the bug ...