Description of problem: http://bugs.python.org/issue17997#msg194950 This was recently fixed upstream and applied to the python3.3.3 and python3.4 branches (neither is released yet.) There does not appear to be a CVE for this upstream update but there are apparently security implications. The problem will affect other packages which copy the pair of functions that implement that functionality just like this bug: https://bugzilla.redhat.com/show_bug.cgi?id=963261 As I now have upstream commit rights to fix things like this in python-backports-ssl_match_hostname we should also update packages which copy the code to use the version in the python-backports-ssl_match_hostname package as well. Something like: try: from backports.ssl_match_hostname import CertificateError, match_hostname except ImportError: CertificateError = None match_hostname = None if not CertificateError: # Use the upstream's copied code to define CertificateError if not match_hostname: # Use the upstream's copied code to define match_hostname Version-Release number of selected component (if applicable): * All current python3 packages. * Packages which bundle the applicable code -- an old list is what blocks https://bugzilla.redhat.com/show_bug.cgi?id=963261 there could be new more since then.
Updates for python-backports-ssl_match_hostname: * https://admin.fedoraproject.org/updates/python-backports-ssl_match_hostname-3.4.0.2-1.fc20 * https://admin.fedoraproject.org/updates/python-backports-ssl_match_hostname-3.4.0.2-1.fc19 * https://admin.fedoraproject.org/updates/python-backports-ssl_match_hostname-3.4.0.2-1.fc18 * https://admin.fedoraproject.org/updates/python-backports-ssl_match_hostname-3.4.0.2-1.el6
(In reply to Toshio Ernie Kuratomi from comment #0) > Something like: > If the upstream code supports python3 as well then the code would be like this: try: # Python3.2+ from ssl import CertificateError, match_hostname except ImportError: try: # backports.ssl_match_hostname from pypi installed from backports.ssl_match_hostname import CertificateError, match_hostname except ImportError: CertificateError = None match_hostname = None if not CertificateError: # Use the upstream's copied code to define CertificateError if not match_hostname: # Use the upstream's copied code to define match_hostname
Updates for python-setuptools: * https://admin.fedoraproject.org/updates/python-setuptools-0.9.8-2.fc20 * (rawhide) http://koji.fedoraproject.org/koji/buildinfo?buildID=474369
Updates for Python3: * https://admin.fedoraproject.org/updates/python3-3.3.0-5.fc18 * https://admin.fedoraproject.org/updates/python3-3.3.2-8.fc19 * https://admin.fedoraproject.org/updates/python3-3.3.2-8.fc20
@security team, any word on what we're going to do with this issue for packages which bundle ssl.match_hostname() ?
(In reply to Toshio Ernie Kuratomi from comment #5) > @security team, any word on what we're going to do with this issue for > packages which bundle ssl.match_hostname() ? Just for information and if need , here the list of packages we patched under Mageia : https://bugs.mageia.org/show_bug.cgi?id=11785#c17 python3-3.3.0-4.5.mga3.src python-virtualenv-1.10.1-1.2.mga3.src python-requests-0.13.5-2.2.mga3.src bzr-2.5.1-3.2.mga3.src python-pip-1.3.1-2.2.mga3.src python-tornado-2.3-2.2.mga3.src python-urllib3-1.7.1-1.1.mga3.src python-setuptools-0.9.8-2.2.mga3.src python-virtualenv is really painfull, we should work with upstream to work on the fact that it is bundling setuptools and pip (https://bugzilla.redhat.com/show_bug.cgi?id=749378)