ssl.match_hostname(): sub string wildcard should not match IDNA prefix.
Change behavior of ssl.match_hostname() to follow RFC 6125, for security reasons. It now doesn’t match multiple wildcards nor wildcards inside IDN fragments. Note that this function was only added to Python 2.7 in a backport to 2.7.9, and was added in its fixed form, so no releases of Python 2.7 have this vulnerability.
Dates:
Disclosure date: 2013-05-17 (Python issue bpo-17997 reported)
Python 3.3.3 (2013-11-17) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
Python 3.4.0 (2014-03-16) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
ssl.match_hostname(): sub string wildcard should not match IDNA prefix.
Python issue: bpo-17997
Creation date: 2013-05-17
Reporter: Christian Heimes
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
CVE ID: CVE-2013-7440
Published: 2016-06-07
CVSS Score: 4.3
Timeline using the disclosure date 2013-05-17 as reference:
2013-05-17: Python issue bpo-17997 reported by Christian Heimes
2013-10-27 (+163 days): commit 72c98d3 (branch 3.3)
2013-11-17 (+184 days): Python 3.3.3 released
2014-03-16: Python 3.4.0 released
2016-06-07 (+1117 days): CVE-2013-7440 published
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4