A flaw was found in the way ssl.match_hostname() from the Python SSL module checked the hostname's identity when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. References: http://bugs.python.org/issue18709 http://bugs.python.org/file31241/CVE-2013-4073_py34.patch http://bugs.python.org/file31242/CVE-2013-4073_py33.patch http://bugs.python.org/file31243/CVE-2013-4073_py27.patch
This flaw is similar to CVE-2013-4073, which affected Ruby: https://bugzilla.redhat.com/show_bug.cgi?id=979251
Created python-backports-ssl_match_hostname tracking bugs for this issue: Affects: fedora-all [bug 996400] Affects: epel-6 [bug 996401]
Created python-tornado tracking bugs for this issue: Affects: fedora-all [bug 996403] Affects: epel-6 [bug 996405]
Created bzr tracking bugs for this issue: Affects: fedora-all [bug 996408]
Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 996409] Affects: epel-all [bug 996410]
Created python-requests tracking bugs for this issue: Affects: fedora-all [bug 996402] Affects: epel-6 [bug 996404]
Created zeroinstall-injector tracking bugs for this issue: Affects: fedora-all [bug 996406] Affects: epel-6 [bug 996407]
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 996399]
Created python tracking bugs for this issue: Affects: fedora-all [bug 998430]
Created attachment 788301 [details] Minimal test case
Created attachment 788302 [details] certs with nulls (taken from upstream commit)
Created python26 tracking bugs for this issue: Affects: epel-5 [bug 998783]
Statement: This issue does not affect the version of python as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.
python-2.7.5-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python3-3.3.2-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1582 https://rhn.redhat.com/errata/RHSA-2013-1582.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html