|Summary:||CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125|
|Product:||[Other] Security Response||Reporter:||Martin Prpič <mprpic>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||abaron, amcnabb, apevec, ayoung, bkearney, bleanhar, ccoleman, ceph-eng-bugs, chrisw, cpelland, cperry, dallan, dmcphers, donald, fschwarz, gkotton, gmollett, henrik, infra-sig, jal233, jialiu, jkeck, joelsmith, jokerman, jorton, katello-bugs, lewk, lhh, lmeyer, lpeer, markmc, metherid, mhroncok, mmaslano, mmccomas, mmccune, moez.roy, mrunge, nlevinki, ohadlevy, orion, ovasik, p, pstodulk, pviktori, python-maint, python-sig, rbean, rbryant, rfortier, rhos-maint, rhs-bugs, sagarun, sardella, sclewis, shahms, slawomir, smilner, srevivo, tomspur, vbellur|
|Fixed In Version:||python 2.7.9, python 3.3.3, python 3.4.0, python-backports-ssl_match_hostname 188.8.131.52||Doc Type:||Bug Fix|
Multiple flaws were found in the way Python's SSL module performed matching of certificate names containing wildcards. A remote attacker able to obtain a valid certificate that contained certain names with wildcards could have them incorrectly accepted by Python SSL clients, not following the RFC 6125 recommendations.
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1231239, 1023742, 1035223, 1230951, 1230952, 1230953, 1230954, 1231231, 1231232, 1231238, 1304146, 1304225, 1304227|
Description Martin Prpič 2015-05-26 11:52:59 UTC
It was found that Python's SSL hostname matching rules did not conform to RFC 6125 when the hostname included wildcards. Upstream issue: https://bugs.python.org/issue17997#msg194950 CVE assignment: http://seclists.org/oss-sec/2015/q2/523 Upstream patch: https://hg.python.org/cpython/rev/10d0edadbcdd
Comment 1 Tomas Hoger 2015-06-11 08:18:19 UTC
This was fixed upstream in Python 3.3.3, and also in backports.ssl_match_hostname 184.108.40.206: https://pypi.python.org/pypi/backports.ssl_match_hostname/220.127.116.11 Corrected version was also added to Python 2.7.9. Python 2.7 versions before 2.7.9 did not include match_hostname() and hence were not affected.
Comment 3 Tomas Hoger 2015-06-11 20:55:07 UTC
The backports.ssl_match_hostname is bundled with urllib3 upstream sources. Additionally, urllib3 is bundled in the requests library. However, python-urllib3 and python-requests packages in Red Hat products and Fedora do not bundle backports.ssl_match_hostname and instead use the version in python-backports-ssl_match_hostname packages. There are several multiple copies of match_hostname implementation in python-pip: - pip/backwardcompat/ssl_match_hostname.py - this was used in pip version prior to 1.5, removed via: https://github.com/pypa/pip/commit/c61b5df - version included in pip 1.4.1 was affected by CVE-2013-7440, but not affected by CVE-2013-2099 (bug 963260) - version included in pip 1.3.4 is affected by both CVE-2013-7440 and CVE-2013-2099, but some Red Hat packages already include patch for CVE-2013-2099 - pip/_vendor/requests/packages/urllib3/packages/ssl_match_hostname/_implementation.py - embedded requests library with embedded urllib3 with embedded backports.ssl_match_hostname - added in pip 1.5 when requests 2.0.0 was added, using ssl_match_hostname version with this issue already fixed https://github.com/pypa/pip/commit/651a961 - pip/_vendor/distlib/compat.py - code was affected by both CVE-2013-2099 and CVE-2013-7440 until pip 6.0.0, when embedded distlib was updated to version 0.2.0: https://github.com/pypa/pip/commit/320a07f - it's unclear to me if match_hostname copy in distlib is used by pip distlib is also packaged separately in Fedora. The current version of python-distlib packages is 0.1.9. CVE-2013-2099 and CVE-2013-7440 were only fixed upstream in 0.2.0 via: https://bitbucket.org/vinay.sajip/distlib/commits/1e44690 match_hostname code is also copied in the setuptools package. - 0.7 introduced the code when it add support for SSL certificate verification https://bitbucket.org/pypa/setuptools/commits/8dc5794 - 0.9.5 corrected CVE-2013-2099 https://bitbucket.org/pypa/setuptools/commits/4b0fb61 - 1.3 corrected CVE-2013-7440 https://bitbucket.org/pypa/setuptools/commits/7eeb678 python-setuptools in Red Hat Enterprise Linux 6 and earlier are based on upstream versions prior to 0.7 and hence do not contain match_hostname. The version in Red Hat Enterprise Linux 7 is 0.9.8. However, it does not contain match_hostname, as it was patched to use implementation from the python-backports-ssl_match_hostname package. Version 0.9.8 is also used in python-setuptools packages in python27 and python33 collections in Red Hat Software Collections. Those packages already include a patch for CVE-2013-7440. The rh-python34 collections contains newer upstream setuptools versions (11.3.1).
Comment 4 Tomas Hoger 2015-06-11 21:08:40 UTC
Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 1230953] Affects: epel-all [bug 1230954]
Comment 5 Tomas Hoger 2015-06-11 21:08:48 UTC
Created bzr tracking bugs for this issue: Affects: fedora-all [bug 1230951]
Comment 6 Tomas Hoger 2015-06-11 21:08:54 UTC
Created python-distlib tracking bugs for this issue: Affects: fedora-all [bug 1230952]
Comment 7 Tomas Hoger 2015-06-12 12:29:18 UTC
pip and setuptools are bundled with virtualenv. The following provides a quick overview of versions bundled with virtualenv versions as found in Red Hat products and Fedora: - virtualenv 1.7.2 - includes distribute-0.6.27 and setuptools-0.6c11 - not affected - virtualenv 1.10.1 - includes pip-1.4.1 and setuptools-0.9.8 - affected - virtualenv 1.11.6 - includes pip-1.5.6 and setuptools-3.6 - only pip/distlib affected - virtualenv 12.0.7 - includes pip-6.0.8 and setuptools-12.0.5 - not affected
Comment 8 Tomas Hoger 2015-06-12 12:45:51 UTC
match_hostname is also embedded in pymongo: - it was introduced in 2.5: https://jira.mongodb.org/browse/PYTHON-466 https://github.com/mongodb/mongo-python-driver/commit/48046b2e - CVE-2013-2099 was corrected in 2.6: https://jira.mongodb.org/browse/PYTHON-522 https://github.com/mongodb/mongo-python-driver/commit/e4f6e4f7 - CVE-2013-7440 was corrected in 2.7 https://jira.mongodb.org/browse/PYTHON-650 https://github.com/mongodb/mongo-python-driver/commit/9b0e542a
Comment 9 Tomas Hoger 2015-06-12 13:13:39 UTC
Created python-pymongo tracking bugs for this issue: Affects: fedora-all [bug 1231231] Affects: epel-all [bug 1231232]
Comment 10 Tomas Hoger 2015-06-12 13:23:18 UTC
Created zeroinstall-injector tracking bugs for this issue: Affects: fedora-all [bug 1231238] Affects: epel-6 [bug 1231239]
Comment 15 Fedora Update System 2015-07-20 19:47:26 UTC
python-pip-7.1.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-07-20 19:47:43 UTC
python-pip-7.1.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-08-15 02:23:13 UTC
bzr-2.6.0-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-08-15 02:23:44 UTC
bzr-2.6.0-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2016-02-12 11:51:56 UTC
python-pymongo-2.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2016-02-12 12:19:45 UTC
python-pymongo-2.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2016-02-20 22:58:34 UTC
python-pymongo-2.5.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2016-02-20 23:55:27 UTC
python-pymongo-2.5.2-3.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 24 errata-xmlrpc 2016-05-31 10:24:13 UTC
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2016:1166
Comment 25 Andrej Nemec 2017-09-08 12:21:34 UTC
Statement: This issue affects the versions of python27-python-pip, python-pymongo and python-virtualenv as shipped with Red Hat OpenShift 2.x and Satellite 6. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.