/[advisories]/10391.adv
ViewVC logotype

Annotation of /10391.adv

Parent Directory Parent Directory | Revision Log Revision Log


Revision 374 - (hide annotations) (download)
Mon Aug 26 19:14:32 2013 UTC (7 years, 6 months ago) by davidwhodgins
File size: 2034 byte(s)
Updating security advisory (correct CVE number) for python3 mga#10391
1 claire 353 type: security
2     subject: Updated python3, bzr and some python packages fix security vulnerabilties
3     CVE:
4     - CVE-2013-2099
5 davidwhodgins 374 - CVE-2013-4238
6 claire 353 src:
7     2:
8     core:
9     - python3-3.2.3-1.5.mga2
10     - python-tornado-2.2.1-1.1.mga2
11     - bzr-2.5.1-1.1.mga2
12     3:
13     core:
14     - python3-3.3.0-4.3.mga3
15     - python-pip-1.3.1-2.1.mga3
16     - python-tornado-2.3-2.1.mga3
17     - bzr-2.5.1-3.1.mga3
18     - python-requests-0.13.5-2.1.mga3
19     - python-virtualenv-1.9.1-1.2.mga3
20     description: |
21     Updated python3 packages fix security vulnerabilities:
22    
23     A denial of service flaw was found in the way SSL module implementation of
24     Python 3 performed matching of the certificate's name in the case it contained
25     many '*' wildcard characters. A remote attacker, able to obtain valid
26     certificate with its name containing a lot of '*' wildcard characters could use
27     this flaw to cause denial of service (excessive CPU consumption) by issuing
28     request to validate such a certificate for / to an application using the
29     Python's ssl.match_hostname() functionality (CVE-2013-2099).
30    
31     Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL
32     module doesn't handle NULL bytes inside subjectAltNames general names. This
33     could lead to a breach when an application uses ssl.match_hostname() to match
34     the hostname againt the certificate's subjectAltName's dNSName general names.
35 davidwhodgins 374 (CVE-2013-4238).
36 claire 353
37     Additionally, a linking issue when compiling C extensions for Python 3 has been
38     fixed in Mageia 3 (mga#9395).
39    
40     The CVE-2013-2099 issue also affects bzr, python-requests, python-tornado,
41     python-pip, and python-virtualenv, and those have been updated as well.
42     references:
43     - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099
44     - http://bugs.python.org/issue18709
45     - https://bugs.mageia.org/show_bug.cgi?id=9395
46     - https://bugs.mageia.org/show_bug.cgi?id=10989
47     - https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html
48     - https://bugs.mageia.org/show_bug.cgi?id=10391
49 tmb 361 ID: MGASA-2013-0252

  ViewVC Help
Powered by ViewVC 1.1.28