/[advisories]/10391.adv
ViewVC logotype

Contents of /10391.adv

Parent Directory Parent Directory | Revision Log Revision Log


Revision 374 - (show annotations) (download)
Mon Aug 26 19:14:32 2013 UTC (4 years, 1 month ago) by davidwhodgins
File size: 2034 byte(s)
Updating security advisory (correct CVE number) for python3 mga#10391
1 type: security
2 subject: Updated python3, bzr and some python packages fix security vulnerabilties
3 CVE:
4 - CVE-2013-2099
5 - CVE-2013-4238
6 src:
7 2:
8 core:
9 - python3-3.2.3-1.5.mga2
10 - python-tornado-2.2.1-1.1.mga2
11 - bzr-2.5.1-1.1.mga2
12 3:
13 core:
14 - python3-3.3.0-4.3.mga3
15 - python-pip-1.3.1-2.1.mga3
16 - python-tornado-2.3-2.1.mga3
17 - bzr-2.5.1-3.1.mga3
18 - python-requests-0.13.5-2.1.mga3
19 - python-virtualenv-1.9.1-1.2.mga3
20 description: |
21 Updated python3 packages fix security vulnerabilities:
22
23 A denial of service flaw was found in the way SSL module implementation of
24 Python 3 performed matching of the certificate's name in the case it contained
25 many '*' wildcard characters. A remote attacker, able to obtain valid
26 certificate with its name containing a lot of '*' wildcard characters could use
27 this flaw to cause denial of service (excessive CPU consumption) by issuing
28 request to validate such a certificate for / to an application using the
29 Python's ssl.match_hostname() functionality (CVE-2013-2099).
30
31 Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL
32 module doesn't handle NULL bytes inside subjectAltNames general names. This
33 could lead to a breach when an application uses ssl.match_hostname() to match
34 the hostname againt the certificate's subjectAltName's dNSName general names.
35 (CVE-2013-4238).
36
37 Additionally, a linking issue when compiling C extensions for Python 3 has been
38 fixed in Mageia 3 (mga#9395).
39
40 The CVE-2013-2099 issue also affects bzr, python-requests, python-tornado,
41 python-pip, and python-virtualenv, and those have been updated as well.
42 references:
43 - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099
44 - http://bugs.python.org/issue18709
45 - https://bugs.mageia.org/show_bug.cgi?id=9395
46 - https://bugs.mageia.org/show_bug.cgi?id=10989
47 - https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html
48 - https://bugs.mageia.org/show_bug.cgi?id=10391
49 ID: MGASA-2013-0252

  ViewVC Help
Powered by ViewVC 1.1.26