Bugzilla – Bug 886001
VUL-0: CVE-2013-2099: python3: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns
Last modified: 2014-08-28 09:05:43 UTC
A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality. Upstream patch: http://hg.python.org/cpython/rev/fafd33db6ff6 References: https://bugzilla.redhat.com/show_bug.cgi?id=963260 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2099 http://www.openwall.com/lists/oss-security/2013/05/16/6 http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2099.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099 http://secunia.com/advisories/55107 http://secunia.com/advisories/55116 http://www.ubuntu.com/usn/USN-1983-1 http://www.ubuntu.com/usn/USN-1984-1 http://www.ubuntu.com/usn/USN-1985-1 http://bugs.python.org/issue17980
bugbot adjusting priority
SLE12, Factory and 13.1 versions are already fixed. 12.3 is vulnerable. This doesn't seem too severe - is it OK if we keep 12.3 unfixed?
I would prefer a fix but since it's "just a DoS" (and one that probably won't see much use) it's fine
This is an autogenerated message for OBS integration: This bug (886001) was mentioned in https://build.opensuse.org/request/show/243787 12.3 / python3
fixed in 12.3 along with bug 885882 handing over to security
relased
openSUSE-SU-2014:1070-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 885882,886001 CVE References: CVE-2013-2099,CVE-2014-4650 Sources used: openSUSE 12.3 (src): python3-3.3.0-6.23.1, python3-base-3.3.0-6.23.1, python3-doc-3.3.0-6.23.1