CVE-2013-4238
Published: 17 August 2013
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Notes
| Author | Note |
|---|---|
| jdstrand | reproducer in upstream report |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.6 Launchpad, Ubuntu, Debian |
lucid |
Released
(2.6.5-1ubuntu6.2)
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Needed
|
|
|
Patches: upstream: http://hg.python.org/cpython/rev/79007c4244d6 upstream: http://hg.python.org/cpython/rev/50803d881a92 (regression) upstream: http://hg.python.org/cpython/rev/07ee48ce4513 (fix) |
||
|
python2.7 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Released
(2.7.3-0ubuntu3.4)
|
|
| quantal |
Released
(2.7.3-5ubuntu4.3)
|
|
| raring |
Released
(2.7.4-2ubuntu3.2)
|
|
| upstream |
Needed
|
|
|
Patches: upstream: http://hg.python.org/cpython/rev/bd2360476bdb upstream: http://hg.python.org/cpython/rev/1cd24ea5abeb (regression) upstream: http://hg.python.org/cpython/rev/a7d5b86ffb95 (fix) |
||
|
python3.1 Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Needed
|
|
|
python3.2 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Released
(3.2.3-0ubuntu3.5)
|
|
| quantal |
Released
(3.2.3-6ubuntu3.4)
|
|
| raring |
Does not exist
|
|
| upstream |
Needed
|
|
|
python3.3 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Does not exist
|
|
| quantal |
Released
(3.3.0-1ubuntu0.1)
|
|
| raring |
Released
(3.3.1-1ubuntu5.2)
|
|
| upstream |
Needed
|
|
|
Patches: upstream: http://hg.python.org/cpython/rev/7a0f398d1a5c (trunk) upstream: http://hg.python.org/cpython/rev/577e9402cadd (trunk regression) upstream: http://hg.python.org/cpython/rev/4e93f32176fb (trunk fix) upstream: http://hg.python.org/cpython/rev/c9f073e593b0 (3.3) upstream: http://hg.python.org/cpython/rev/004743d210e4 (3.3 regression) upstream: http://hg.python.org/cpython/rev/90040e560527 (3.3 fix) |
||
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238
- http://bugs.python.org/issue18709
- https://bugs.mageia.org/show_bug.cgi?id=10989
- https://ubuntu.com/security/notices/USN-1983-1
- https://ubuntu.com/security/notices/USN-1982-1
- https://ubuntu.com/security/notices/USN-1985-1
- https://ubuntu.com/security/notices/USN-1984-1
- NVD
- Launchpad
- Debian