diff options
| author | Daniele Tricoli <eriol@mornie.org> | 2013-05-20 19:34:17 +0200 |
|---|---|---|
| committer | Daniele Tricoli <eriol@mornie.org> | 2013-05-20 19:34:17 +0200 |
| commit | c24c18a71d3c96158c9fd17592ec0b6e77f46f96 (patch) | |
| tree | 5fa720e55bedc90e496fa45fe26ad5372f6646fb | |
| parent | a30e589c823358746c943af9ec71c451c514e7b0 (diff) | |
| parent | fd657b655be7d400ad85a18d94e248393d52d7e1 (diff) | |
| download | python-urllib3-c24c18a71d3c96158c9fd17592ec0b6e77f46f96.tar python-urllib3-c24c18a71d3c96158c9fd17592ec0b6e77f46f96.tar.gz | |
Imported Debian patch 1.6-2
| -rw-r--r-- | debian/changelog | 10 | ||||
| -rw-r--r-- | debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch | 26 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index c659984..ae1b0d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +python-urllib3 (1.6-2) unstable; urgency=high + + * debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch + - Added upstream patch to fix possible abuse of ssl.match_hostname() + for denial of service using certificates with many wildcards + (CVE-2013-2099) (Closes: #709070) Thanks Henri Salo and Jakub + Wilk for the report + + -- Daniele Tricoli <eriol@mornie.org> Mon, 20 May 2013 19:34:17 +0200 + python-urllib3 (1.6-1) unstable; urgency=low [ Jakub Wilk ] diff --git a/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch b/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch new file mode 100644 index 0000000..57a4c06 --- /dev/null +++ b/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch @@ -0,0 +1,26 @@ +Description: Fix possible abuse of ssl.match_hostname() for denial + of service using certificates with many wildcards (CVE-2013-2099) +Origin: http://hg.python.org/cpython/rev/c627638753e2 +Bug: http://bugs.python.org/issue17980 +Bug-Debian: http://bugs.debian.org/709070 + +--- a/urllib3/packages/ssl_match_hostname/__init__.py ++++ b/urllib3/packages/ssl_match_hostname/__init__.py +@@ -7,9 +7,16 @@ + class CertificateError(ValueError): + pass + +-def _dnsname_to_pat(dn): ++def _dnsname_to_pat(dn, max_wildcards=1): + pats = [] + for frag in dn.split(r'.'): ++ if frag.count('*') > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survery of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) + if frag == '*': + # When '*' is a fragment by itself, it matches a non-empty dotless + # fragment. diff --git a/debian/patches/series b/debian/patches/series index a8d0b0b..f44758a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 03_no-setuptools.patch 04_relax_nosetests_options.patch 05_fix_python3_syntax_error_in_ntlmpool.patch +06_fix_abuse_of_match_hostname_for_DoS.patch |