Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2013-7440

Published: 7 June 2016

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.

Notes

AuthorNote
tyhicks
This CVE is specifically for the multiple wildcards issue and not the
change in behavior from RFC 2818 to RFC 6125
Note that revision 10d0edadbcdd changes the behavior over to RFC 6125
which may cause compatibability issues in old releases
mdeslaur
since this introduces a behaviour change, we will not be fixing
this in stable releases.

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Not vulnerable
(doesn't implement ssl.match_hostname)
trusty Not vulnerable
(contains the RFC 6125 code change)
utopic Not vulnerable

vivid Not vulnerable

python3.2
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Ignored

trusty Does not exist

utopic Does not exist

vivid Does not exist

python3.4
Launchpad, Ubuntu, Debian
upstream Needs triage

precise Does not exist

trusty Not vulnerable
(contains the RFC 6125 code change)
utopic Not vulnerable

vivid Not vulnerable