[Python-modules-commits] r24459 - in packages/python-urllib3/trunk/debian (3 files)
eriol-guest at users.alioth.debian.org
eriol-guest at users.alioth.debian.org
Mon May 20 17:48:01 UTC 2013
Date: Monday, May 20, 2013 @ 17:47:59
Author: eriol-guest
Revision: 24459
* debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
- Added upstream patch to fix possible abuse of ssl.match_hostname()
for denial of service using certificates with many wildcards
(CVE-2013-2099) (Closes: #709070) Thanks Henri Salo and Jakub
Wilk for the report
Added:
packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
Modified:
packages/python-urllib3/trunk/debian/changelog
packages/python-urllib3/trunk/debian/patches/series
Modified: packages/python-urllib3/trunk/debian/changelog
===================================================================
--- packages/python-urllib3/trunk/debian/changelog 2013-05-20 17:43:09 UTC (rev 24458)
+++ packages/python-urllib3/trunk/debian/changelog 2013-05-20 17:47:59 UTC (rev 24459)
@@ -1,3 +1,13 @@
+python-urllib3 (1.6-2) UNRELEASED; urgency=low
+
+ * debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
+ - Added upstream patch to fix possible abuse of ssl.match_hostname()
+ for denial of service using certificates with many wildcards
+ (CVE-2013-2099) (Closes: #709070) Thanks Henri Salo and Jakub
+ Wilk for the report
+
+ -- Daniele Tricoli <eriol at mornie.org> Mon, 20 May 2013 19:34:17 +0200
+
python-urllib3 (1.6-1) unstable; urgency=low
[ Jakub Wilk ]
Added: packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
===================================================================
--- packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch (rev 0)
+++ packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch 2013-05-20 17:47:59 UTC (rev 24459)
@@ -0,0 +1,26 @@
+Description: Fix possible abuse of ssl.match_hostname() for denial
+ of service using certificates with many wildcards (CVE-2013-2099)
+Origin: http://hg.python.org/cpython/rev/c627638753e2
+Bug: http://bugs.python.org/issue17980
+Bug-Debian: http://bugs.debian.org/709070
+
+--- a/urllib3/packages/ssl_match_hostname/__init__.py
++++ b/urllib3/packages/ssl_match_hostname/__init__.py
+@@ -7,9 +7,16 @@
+ class CertificateError(ValueError):
+ pass
+
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+ pats = []
+ for frag in dn.split(r'.'):
++ if frag.count('*') > max_wildcards:
++ # Issue #17980: avoid denials of service by refusing more
++ # than one wildcard per fragment. A survery of established
++ # policy among SSL implementations showed it to be a
++ # reasonable choice.
++ raise CertificateError(
++ "too many wildcards in certificate DNS name: " + repr(dn))
+ if frag == '*':
+ # When '*' is a fragment by itself, it matches a non-empty dotless
+ # fragment.
Modified: packages/python-urllib3/trunk/debian/patches/series
===================================================================
--- packages/python-urllib3/trunk/debian/patches/series 2013-05-20 17:43:09 UTC (rev 24458)
+++ packages/python-urllib3/trunk/debian/patches/series 2013-05-20 17:47:59 UTC (rev 24459)
@@ -3,3 +3,4 @@
03_no-setuptools.patch
04_relax_nosetests_options.patch
05_fix_python3_syntax_error_in_ntlmpool.patch
+06_fix_abuse_of_match_hostname_for_DoS.patch
More information about the Python-modules-commits
mailing list