From SES 1.0 review

http://bugs.python.org/issue17997

> Python's ssl.match_hostname() does sub string matching as specified in RFC 2818:
> 
>    Names may contain the wildcard
>    character * which is considered to match any single domain name
>    component or component fragment. E.g., *.a.com matches foo.a.com but
>    not bar.foo.a.com. f*.com matches foo.com but not bar.com.
> 
> The RFC doesn't specify how internationalized domain names shoould be handled
> because it predates RFC 5890 for IDNA by many year. IDNA are prefixed with
> "xn--", e.g. u"götter.example.de".encode("idna") == 
> "xn--gtter-jua.example.de". This can result into false positive matches for a 
> rule like "x*.example.de".


http://bugs.python.org/issue17997#msg195058

> Affected versions:
> 
> - Python 3.2 (< 3.2.5)
> - Python 3.3 (< 3.3.3)
> - Python 3.4a1
> - requests < 1.2.3
> https://pypi.python.org/pypi/requests
> - backports.ssl_match_hostname (<3.2a3)
> https://pypi.python.org/pypi/backports.ssl_match_hostname/
> - urllib3 < 1.6
> https://github.com/shazow/urllib3
> - bzr
> - setuptools

As bug 930189

> - tornado
> - pip

Compatibility concern:

> Yes, it's a security issue. But the patch would changes the behavior of the function.
> The current function conforms to RFC 2818. The patch implements RFC 6125, which is 
> more restrictive.

Changeset:

https://hg.python.org/cpython/rev/10d0edadbcdd

> Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
> for security reasons.  It now doesn't match multiple wildcards nor wildcards
> inside IDN fragments. [#17997]


For python-setuptools: bug 930189
Also see bug 886001 for python (CVE-2013-2099)

No CVE assigned yet for this one.