diff options
author | Daniele Tricoli <eriol@mornie.org> | 2013-05-20 17:47:59 +0000 |
---|---|---|
committer | Daniele Tricoli <eriol@mornie.org> | 2013-05-20 17:47:59 +0000 |
commit | 2c05e52e60674a2d9240c05330f11875096c6e71 (patch) | |
tree | 6c552b94f193feadd7e2459bf062d7a6bc801495 | |
parent | 3fe56c4651d649b313c1640a795c3545b3972d8b (diff) | |
download | python-urllib3-2c05e52e60674a2d9240c05330f11875096c6e71.tar python-urllib3-2c05e52e60674a2d9240c05330f11875096c6e71.tar.gz |
* debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch
- Added upstream patch to fix possible abuse of ssl.match_hostname()
for denial of service using certificates with many wildcards
(CVE-2013-2099) (Closes: #709070) Thanks Henri Salo and Jakub
Wilk for the report
-rw-r--r-- | debian/changelog | 10 | ||||
-rw-r--r-- | debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch | 26 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index c659984..cbf79ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +python-urllib3 (1.6-2) UNRELEASED; urgency=low + + * debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch + - Added upstream patch to fix possible abuse of ssl.match_hostname() + for denial of service using certificates with many wildcards + (CVE-2013-2099) (Closes: #709070) Thanks Henri Salo and Jakub + Wilk for the report + + -- Daniele Tricoli <eriol@mornie.org> Mon, 20 May 2013 19:34:17 +0200 + python-urllib3 (1.6-1) unstable; urgency=low [ Jakub Wilk ] diff --git a/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch b/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch new file mode 100644 index 0000000..57a4c06 --- /dev/null +++ b/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch @@ -0,0 +1,26 @@ +Description: Fix possible abuse of ssl.match_hostname() for denial + of service using certificates with many wildcards (CVE-2013-2099) +Origin: http://hg.python.org/cpython/rev/c627638753e2 +Bug: http://bugs.python.org/issue17980 +Bug-Debian: http://bugs.debian.org/709070 + +--- a/urllib3/packages/ssl_match_hostname/__init__.py ++++ b/urllib3/packages/ssl_match_hostname/__init__.py +@@ -7,9 +7,16 @@ + class CertificateError(ValueError): + pass + +-def _dnsname_to_pat(dn): ++def _dnsname_to_pat(dn, max_wildcards=1): + pats = [] + for frag in dn.split(r'.'): ++ if frag.count('*') > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survery of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) + if frag == '*': + # When '*' is a fragment by itself, it matches a non-empty dotless + # fragment. diff --git a/debian/patches/series b/debian/patches/series index a8d0b0b..f44758a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 03_no-setuptools.patch 04_relax_nosetests_options.patch 05_fix_python3_syntax_error_in_ntlmpool.patch +06_fix_abuse_of_match_hostname_for_DoS.patch |