Your submission was sent successfully! Close

CVE-2013-4238

Published: 17 August 2013

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Notes

AuthorNote
jdstrand
reproducer in upstream report
Priority

Medium

Status

Package Release Status
python2.6
Launchpad, Ubuntu, Debian
lucid
Released (2.6.5-1ubuntu6.2)
precise Does not exist

quantal Does not exist

raring Does not exist

upstream Needed

Patches:
upstream: http://hg.python.org/cpython/rev/79007c4244d6
upstream: http://hg.python.org/cpython/rev/50803d881a92 (regression)
upstream: http://hg.python.org/cpython/rev/07ee48ce4513 (fix)









python2.7
Launchpad, Ubuntu, Debian
lucid Does not exist

precise
Released (2.7.3-0ubuntu3.4)
quantal
Released (2.7.3-5ubuntu4.3)
raring
Released (2.7.4-2ubuntu3.2)
upstream Needed

Patches:



upstream: http://hg.python.org/cpython/rev/bd2360476bdb
upstream: http://hg.python.org/cpython/rev/1cd24ea5abeb (regression)
upstream: http://hg.python.org/cpython/rev/a7d5b86ffb95 (fix)






python3.1
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist

quantal Does not exist

raring Does not exist

upstream Needed

python3.2
Launchpad, Ubuntu, Debian
lucid Does not exist

precise
Released (3.2.3-0ubuntu3.5)
quantal
Released (3.2.3-6ubuntu3.4)
raring Does not exist

upstream Needed

python3.3
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

quantal
Released (3.3.0-1ubuntu0.1)
raring
Released (3.3.1-1ubuntu5.2)
upstream Needed

Patches:






upstream: http://hg.python.org/cpython/rev/7a0f398d1a5c (trunk)
upstream: http://hg.python.org/cpython/rev/577e9402cadd (trunk regression)
upstream: http://hg.python.org/cpython/rev/4e93f32176fb (trunk fix)
upstream: http://hg.python.org/cpython/rev/c9f073e593b0 (3.3)
upstream: http://hg.python.org/cpython/rev/004743d210e4 (3.3 regression)
upstream: http://hg.python.org/cpython/rev/90040e560527 (3.3 fix)