[Python-modules-commits] r26174 - in packages/python-urllib3/trunk/debian (2 files)
eriol-guest at users.alioth.debian.org
eriol-guest at users.alioth.debian.org
Wed Oct 16 15:41:47 UTC 2013
Date: Wednesday, October 16, 2013 @ 15:41:44
Author: eriol-guest
Revision: 26174
Removed 06_fix_abuse_of_match_hostname_for_DoS.patch since fixed upstream
Modified:
packages/python-urllib3/trunk/debian/changelog
Deleted:
packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
Modified: packages/python-urllib3/trunk/debian/changelog
===================================================================
--- packages/python-urllib3/trunk/debian/changelog 2013-10-16 15:35:33 UTC (rev 26173)
+++ packages/python-urllib3/trunk/debian/changelog 2013-10-16 15:41:44 UTC (rev 26174)
@@ -9,8 +9,10 @@
- Refreshed
* debian/patches/05_fix_python3_syntax_error_in_ntlmpool.patch
- Removed since fixed upstream
+ * debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
+ - Removed since fixed upstream
- -- Daniele Tricoli <eriol at mornie.org> Wed, 16 Oct 2013 17:33:45 +0200
+ -- Daniele Tricoli <eriol at mornie.org> Wed, 16 Oct 2013 17:39:22 +0200
python-urllib3 (1.6-2) unstable; urgency=high
Deleted: packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
===================================================================
--- packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch 2013-10-16 15:35:33 UTC (rev 26173)
+++ packages/python-urllib3/trunk/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch 2013-10-16 15:41:44 UTC (rev 26174)
@@ -1,26 +0,0 @@
-Description: Fix possible abuse of ssl.match_hostname() for denial
- of service using certificates with many wildcards (CVE-2013-2099)
-Origin: http://hg.python.org/cpython/rev/c627638753e2
-Bug: http://bugs.python.org/issue17980
-Bug-Debian: http://bugs.debian.org/709070
-
---- a/urllib3/packages/ssl_match_hostname/__init__.py
-+++ b/urllib3/packages/ssl_match_hostname/__init__.py
-@@ -7,9 +7,16 @@
- class CertificateError(ValueError):
- pass
-
--def _dnsname_to_pat(dn):
-+def _dnsname_to_pat(dn, max_wildcards=1):
- pats = []
- for frag in dn.split(r'.'):
-+ if frag.count('*') > max_wildcards:
-+ # Issue #17980: avoid denials of service by refusing more
-+ # than one wildcard per fragment. A survery of established
-+ # policy among SSL implementations showed it to be a
-+ # reasonable choice.
-+ raise CertificateError(
-+ "too many wildcards in certificate DNS name: " + repr(dn))
- if frag == '*':
- # When '*' is a fragment by itself, it matches a non-empty dotless
- # fragment.
More information about the Python-modules-commits
mailing list