A denial of service flaw was found in the way SSL module implementation of Python3, version 3 of the Python programming language (aka Python 3000), performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality. Upstream bug report: [1] http://bugs.python.org/issue17980 CVE request: [2] http://www.openwall.com/lists/oss-security/2013/05/15/6 (is for python-backports-ssl_match_hostname, but that code comes from Python 3.2 ssl module implementation) [3] http://www.openwall.com/lists/oss-security/2013/05/15/7 Acknowledgements: Name: Florian Weimer (Red Hat Product Security)
This issue affects the versions of the python3 package, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is final upstream patch available).
Created python3 tracking bugs for this issue Affects: fedora-all [bug 963261]
This issue did NOT affect the versions of the python package, as shipped with Red Hat Enterprise Linux 5 and 6 (as the SSL module of that Python language version did not implement the match_hostname() routine yet). -- This issue did NOT affect the versions of the python package, as shipped with Fedora release of 17 and 18 (as the SSL module of that Python language version did not implement the match_hostname() routine yet).
Statement: This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6 as the SSL module there did not implement the match_hostname() routine yet.
This would appear to also apply to the python-backports-ssl_match_hostname package which is present in epel6, Fedora 17, 18, 19, and rawhide.
(In reply to comment #5) > This would appear to also apply to the python-backports-ssl_match_hostname > package which is present in epel6, Fedora 17, 18, 19, and rawhide. Thank you, Toshio. Original bug for python-backports-ssl_match_hostname case was bug #963186 (but i will merge them this not to be confusing).
Created python-backports-ssl_match_hostname tracking bugs for this issue Affects: fedora-all [bug 963187] Affects: epel-6 [bug 963188]
*** Bug 963186 has been marked as a duplicate of this bug. ***
The CVE identifier of CVE-2013-2098 has been assigned: http://www.openwall.com/lists/oss-security/2013/05/16/5 to the python-backports-ssl_match_hostname package case, and identifier of CVE-2013-2099 has been assigned: http://www.openwall.com/lists/oss-security/2013/05/16/6 to the python3 package case.
Issue submitted upstream on backports.ssl_match_hostname: https://bitbucket.org/brandon/backports.ssl_match_hostname/issue/1/cve-2013-2098-denial-of-service-when
This is embedded in a few other packages: bzr-2.5.1-2.fc18: (source) bzr-2.5.1.tar.gz Found matching function in bzr-2.5.1/bzrlib/transport/http/_urllib2_wrappers.py:402: def _dnsname_to_pat(dn): python-requests-0.14.1-1.fc18: (source) requests-0.14.1.tar.gz Found matching function in requests-0.14.1/requests/packages/urllib3/packages/ssl_match_hostname/__init__.py:10: def _dnsname_to_pat(dn): python-tornado-2.2.1-3.fc18: (source) tornado-2.2.1.tar.gz Found matching function in tornado-2.2.1/tornado/simple_httpclient.py:455: def _dnsname_to_pat(dn): zeroinstall-injector-1.13-1.fc18: (source) 0install-1.13.tar.bz2 Found matching function in 0install-1.13/zeroinstall/support/ssl_match_hostname.py:15: def _dnsname_to_pat(dn): I've checked all of these and they are indeed affected by this.
The upstream patch is here: http://hg.python.org/cpython/rev/fafd33db6ff6
Tracking bugs filed: * python-tornado: epel-6 affected: [bug 966272] fedora-all affected: [bug 966270] * bzr: fedora-all affected: [bug 966275] * python-requests: epel-6 affected: [bug 966271] fedora-all affected: [bug 966269] * zeroinstall-injector: epel-6 affected: [bug 966274] fedora-all affected: [bug 966273]
Also affects python-pip: ./pip/backwardcompat/ssl_match_hostname.py
Created python-pip tracking bugs for this issue Affects: fedora-all [bug 970110] Affects: epel-all [bug 970112]
(In reply to Toshio Ernie Kuratomi from comment #14) > Also affects python-pip: > > ./pip/backwardcompat/ssl_match_hostname.py Thank you, Toshio. Child bugs created.
bzr-2.5.1-11.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
bzr-2.5.1-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
bzr-2.5.1-11.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Two more packages with this issue: * python-setuptools 0.7+ -- fedora rawhide only; I'm working on a new build for this right now. * python-virtualenv *bundles* pip: /usr/lib/python2.7/site-packages/virtualenv_support/pip-1.3.tar.gz Therefore, it has the same code as the standalone pip (and problem) as the standalone pip.
I've updated setuptools in rawhide to 0.9.5 which contains my backport of the fix.
python-pip-1.3.1-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-pip-1.3.1-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
python-pip-1.3.1-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
python-pip-1.3.1-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2013-2098 was rejected as a dupe of CVE-2013-2099: Name: CVE-2013-2098 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2098 Assigned: 20130219 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-2099. Reason: This candidate is a duplicate of CVE-2013-2099. Notes: All CVE users should reference CVE-2013-2099 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
IssueDescription: A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.
This issue has been addressed in the following products: Red Hat Storage 2.1 Red Hat Storage Console 2.1 Native Client for RHEL 5 for Red Hat Storage Native Client for RHEL 6 for Red Hat Storage Via RHSA-2014:1263 https://rhn.redhat.com/errata/RHSA-2014-1263.html
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1690 https://rhn.redhat.com/errata/RHSA-2014-1690.html
python-tornado-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-tornado-2.2.1-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Common for RHEL 6 Via RHSA-2015:0042 https://rhn.redhat.com/errata/RHSA-2015-0042.html
python-tornado-2.2.1-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Created python-distlib tracking bugs for this issue: Affects: fedora-all [bug 1230952]
Created python-pymongo tracking bugs for this issue: Affects: fedora-all [bug 1231231] Affects: epel-all [bug 1231232]
python-pymongo-2.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
python-pymongo-2.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
python-pymongo-2.5.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
python-pymongo-2.5.2-3.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2016:1166
Satellite don't ship python-requests module in 6.1 onwards, so does python-backports-ssl_match_hostname. Till python-requests-2.4.3-1.el7sat, ssl_match_hostname was bundled internally. Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1111139