CVE-2013-7440

Published: 07 June 2016

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(contains the RFC 6125 code change)
python3.2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

python3.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(contains the RFC 6125 code change)

Notes

AuthorNote
tyhicks
This CVE is specifically for the multiple wildcards issue and not the
change in behavior from RFC 2818 to RFC 6125
Note that revision 10d0edadbcdd changes the behavior over to RFC 6125
which may cause compatibability issues in old releases
mdeslaur
since this introduces a behaviour change, we will not be fixing
this in stable releases.

References

Bugs