Описание
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python3.4 | fixed | 3.4~b1-4 | package | |
| python3.3 | fixed | 3.3.3-1 | package | |
| python3.2 | removed | package | ||
| python3.2 | no-dsa | wheezy | package | |
| python3.1 | removed | package | ||
| python3.1 | no-dsa | squeeze | package | |
| python2.7 | fixed | 2.7.9-1 | package | |
| python2.7 | no-dsa | wheezy | package | |
| python2.6 | removed | package | ||
| python2.6 | no-dsa | wheezy | package | |
| python2.6 | no-dsa | squeeze | package | |
| python2.5 | removed | package | ||
| python2.5 | no-dsa | squeeze | package |
Примечания
https://bugs.python.org/issue17997#msg194950
https://hg.python.org/cpython/rev/10d0edadbcdd
The CVE is only about refusing multiple wildcards. Backporting that part only is not so difficult.
EPSS
Связанные уязвимости
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
EPSS