Bug 996381 - (CVE-2013-4238) CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130812,repor...
: Security
Depends On: 998783 996399 996400 996401 996733 997768 998430 998781 998784
Blocks: 974906 996394
  Show dependency treegraph
 
Reported: 2013-08-13 01:39 EDT by Murray McAllister
Modified: 2016-12-04 15:42 EST (History)
38 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Minimal test case (388 bytes, text/plain)
2013-08-20 00:43 EDT, Huzaifa S. Sidhpurwala
no flags Details
certs with nulls (taken from upstream commit) (5.31 KB, text/plain)
2013-08-20 00:44 EDT, Huzaifa S. Sidhpurwala
no flags Details

  None (edit)
Description Murray McAllister 2013-08-13 01:39:04 EDT
A flaw was found in the way ssl.match_hostname() from the Python SSL module checked the hostname's identity when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

References:

http://bugs.python.org/issue18709
http://bugs.python.org/file31241/CVE-2013-4073_py34.patch
http://bugs.python.org/file31242/CVE-2013-4073_py33.patch
http://bugs.python.org/file31243/CVE-2013-4073_py27.patch
Comment 1 Murray McAllister 2013-08-13 01:43:12 EDT
This flaw is similar to CVE-2013-4073, which affected Ruby: https://bugzilla.redhat.com/show_bug.cgi?id=979251
Comment 3 Murray McAllister 2013-08-13 02:40:04 EDT
Created python-backports-ssl_match_hostname tracking bugs for this issue:

Affects: fedora-all [bug 996400]
Affects: epel-6 [bug 996401]
Comment 6 Murray McAllister 2013-08-13 02:44:27 EDT
Created python-tornado tracking bugs for this issue:

Affects: fedora-all [bug 996403]
Affects: epel-6 [bug 996405]
Comment 7 Murray McAllister 2013-08-13 02:44:43 EDT
Created bzr tracking bugs for this issue:

Affects: fedora-all [bug 996408]
Comment 8 Murray McAllister 2013-08-13 02:45:00 EDT
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 996409]
Affects: epel-all [bug 996410]
Comment 9 Murray McAllister 2013-08-13 02:45:31 EDT
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 996402]
Affects: epel-6 [bug 996404]
Comment 10 Murray McAllister 2013-08-13 02:45:50 EDT
Created zeroinstall-injector tracking bugs for this issue:

Affects: fedora-all [bug 996406]
Affects: epel-6 [bug 996407]
Comment 11 Murray McAllister 2013-08-13 02:46:10 EDT
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 996399]
Comment 13 Huzaifa S. Sidhpurwala 2013-08-19 06:04:56 EDT
Created python tracking bugs for this issue:

Affects: fedora-all [bug 998430]
Comment 14 Huzaifa S. Sidhpurwala 2013-08-20 00:43:38 EDT
Created attachment 788301 [details]
Minimal test case
Comment 15 Huzaifa S. Sidhpurwala 2013-08-20 00:44:27 EDT
Created attachment 788302 [details]
certs with nulls (taken from upstream commit)
Comment 17 Huzaifa S. Sidhpurwala 2013-08-20 00:47:20 EDT
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 998783]
Comment 19 Huzaifa S. Sidhpurwala 2013-08-22 02:36:57 EDT
Statement:

This issue does not affect the version of python as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.
Comment 20 Fedora Update System 2013-08-24 18:27:03 EDT
python-2.7.5-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2013-08-27 19:35:34 EDT
python3-3.3.2-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2013-11-21 04:15:25 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1582 https://rhn.redhat.com/errata/RHSA-2013-1582.html
Comment 23 errata-xmlrpc 2013-11-21 19:36:27 EST
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html

Note You need to log in before you can comment on or make changes to this bug.