[CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Fix Released
|
Medium
|
Andrew Starr-Bochicchio | ||
Python |
Fix Released
|
Unknown
|
|||
bzr (Debian) |
Fix Released
|
Unknown
|
|||
bzr (Ubuntu) |
Fix Released
|
Medium
|
Andrew Starr-Bochicchio |
Bug Description
/bzrlib/
Python Bug: http://
CVE request: http://
Probable fix: http://
ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: bzr 2.6.0~bzr6571-
ProcVersionSign
Uname: Linux 3.8.0-21-generic x86_64
ApportVersion: 2.9.2-0ubuntu8
Architecture: amd64
Date: Mon May 20 11:36:23 2013
InstallationDate: Installed on 2013-03-16 (64 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130316)
MarkForUpload: True
PackageArchitec
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- bzr-core: Pending requested
-
Diff: 48 lines (+24/-1)2 files modifiedbzrlib/tests/test_https_urllib.py (+16/-0)
bzrlib/transport/http/_urllib2_wrappers.py (+8/-1)
CVE References
Changed in bzr: | |
status: | Triaged → In Progress |
assignee: | nobody → Andrew Starr-Bochicchio (andrewsomething) |
Changed in bzr (Debian): | |
status: | Unknown → Confirmed |
Changed in python: | |
status: | Unknown → Fix Released |
Changed in bzr (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Andrew Starr-Bochicchio (andrewsomething) |
Changed in bzr: | |
status: | In Progress → Fix Committed |
milestone: | none → 2.6b3 |
Changed in bzr (Debian): | |
status: | Confirmed → Fix Released |
Changed in bzr: | |
status: | Fix Committed → Fix Released |
Changed in bzr: | |
milestone: | 2.6b3 → 2.6.0 |
Fixed both upstream and Debian. Attached debdiff merges the fix from Debian.
(I've dropped the Ubuntu change to Vcs fields as the UDD bzr imports for both Debian and Ubuntu are out of date. So that branch isn't very helpful. Yes, I realize that is a bit ironic...)
Changes since last Ubuntu version:
bzr (2.6.0~ bzr6574- 1ubuntu1) saucy; urgency=low {meliae, lzma,medusa} , gzip.TestToGzip .test_enormous_ chunks test patches/ 04_revert_ ui_changes, fixed upstream.
.
* Merge from Debian unstable. Remaining Ubuntu changes:
- Drop build dependencies on python-
which are not in main.
* Drop changes to Vcs fields. The UDD imports are out of date.
.
bzr (2.6.0~bzr6574-1) unstable; urgency=low
.
* New upstream snapshot.
- Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single
SSL cert hostname segment (Closes: #709068, LP: #1182124).
.
bzr (2.6.0~bzr6573-1) unstable; urgency=low
.
* Upload to unstable.
* New upstream snapshot.
* Remove the test_tuned_
(LP: #1116079, #1160572).
* Drop debian/
* Drop deprecated Dm-Upload-Allowed field.
* Bump Standards-Version to 3.9.4, no changes needed.
* Drop un-needed Build-Conflicts on python-gpgme.