CVE-2013-7440
Published: 7 June 2016
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
Notes
| Author | Note |
|---|---|
| tyhicks | This CVE is specifically for the multiple wildcards issue and not the change in behavior from RFC 2818 to RFC 6125 Note that revision 10d0edadbcdd changes the behavior over to RFC 6125 which may cause compatibability issues in old releases |
| mdeslaur | since this introduces a behaviour change, we will not be fixing this in stable releases. |
Priority
CVSS 3 base score: 5.9
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| precise |
Not vulnerable
(doesn't implement ssl.match_hostname)
|
|
| trusty |
Not vulnerable
(contains the RFC 6125 code change)
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|
|
|
python3.2 Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| precise |
Ignored
|
|
| trusty |
Does not exist
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| precise |
Does not exist
|
|
| trusty |
Not vulnerable
(contains the RFC 6125 code change)
|
|
| utopic |
Not vulnerable
|
|
| vivid |
Not vulnerable
|