RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/ssl-null-subjectaltnames.html below:

NULL in subjectAltNames — Python Security 0.0 documentation

ssl: NULL in subjectAltNames¶

SSL module fails to handle NULL bytes inside subjectAltNames general names.

It’s related to Ruby’s CVE-2013-4073.

Issue #18709 reported by Christian Heimes at 2013-08-12.

Dates:

Disclosure date: 2013-06-27 (Ruby issue)
Reported by: Ryan Sleevi of the Google Chrome Security Team

Fixed In¶

Python 2.6.9 (2013-10-29) fixed by commit 82f8828 (branch 2.7) (2013-08-23)
Python 2.7.6 (2013-11-10) fixed by commit 82f8828 (branch 2.7) (2013-08-23)
Python 3.2.6 (2014-10-12) fixed by commit ec3c103 (branch 3.2) (2014-09-30)
Python 3.3.3 (2013-11-17) fixed by commit 824f7f3 (branch 3.3) (2013-08-16)
Python 3.4.0 (2014-03-16) fixed by commit 824f7f3 (branch 3.3) (2013-08-16)

Python issue¶

SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238).

Python issue: bpo-18709
Creation date: 2013-08-12
Reporter: Christian Heimes

CVE-2013-4238¶

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a ‘0’ character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVE ID: CVE-2013-4238
Published: 2013-08-18
CVSS Score: 4.3

Timeline¶

Timeline using the disclosure date 2013-06-27 as reference:

2013-06-27: Disclosure date (Ruby issue)
2013-08-12 (+46 days): Python issue bpo-18709 reported by Christian Heimes
2013-08-16 (+50 days): commit 824f7f3 (branch 3.3)
2013-08-18 (+52 days): CVE-2013-4238 published
2013-08-23 (+57 days): commit 82f8828 (branch 2.7)
2013-10-29 (+124 days): Python 2.6.9 released
2013-11-10 (+136 days): Python 2.7.6 released
2013-11-17 (+143 days): Python 3.3.3 released
2014-03-16: Python 3.4.0 released
2014-09-30 (+460 days): commit ec3c103 (branch 3.2)
2014-10-12 (+472 days): Python 3.2.6 released

Links¶

https://nvd.nist.gov/vuln/detail/CVE-2013-4073/

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4