Bug 996381 (CVE-2013-4238)
Summary: | CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | a.badger, amcnabb, apevec, bgollahe, chrisw, derks, dmalcolm, drieden, edewata, gkotton, henrik, hhorak, ian, ionut, ivazqueznet, jeffrey.ness, jonathansteffan, jorton, markmc, metherid, michel, nobody+bgollahe, ovasik, python-maint, rbean, rbryant, sagarun, sclewis, shahms, srevivo, tflink, tomspur, vkrizan | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-10-20 10:40:05 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 996399, 996400, 996401, 996733, 997768, 998430, 998781, 998783, 998784 | ||||||||
Bug Blocks: | 974906, 996394 | ||||||||
Attachments: |
|
Description
Murray McAllister
2013-08-13 05:39:04 UTC
This flaw is similar to CVE-2013-4073, which affected Ruby: https://bugzilla.redhat.com/show_bug.cgi?id=979251 Created python-backports-ssl_match_hostname tracking bugs for this issue: Affects: fedora-all [bug 996400] Affects: epel-6 [bug 996401] Created python-tornado tracking bugs for this issue: Affects: fedora-all [bug 996403] Affects: epel-6 [bug 996405] Created bzr tracking bugs for this issue: Affects: fedora-all [bug 996408] Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 996409] Affects: epel-all [bug 996410] Created python-requests tracking bugs for this issue: Affects: fedora-all [bug 996402] Affects: epel-6 [bug 996404] Created zeroinstall-injector tracking bugs for this issue: Affects: fedora-all [bug 996406] Affects: epel-6 [bug 996407] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 996399] Created python tracking bugs for this issue: Affects: fedora-all [bug 998430] Created attachment 788301 [details]
Minimal test case
Created attachment 788302 [details]
certs with nulls (taken from upstream commit)
Created python26 tracking bugs for this issue: Affects: epel-5 [bug 998783] Statement: This issue does not affect the version of python as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. python-2.7.5-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. python3-3.3.2-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1582 https://rhn.redhat.com/errata/RHSA-2013-1582.html This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html |