diff options
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch | 26 |
2 files changed, 3 insertions, 27 deletions
diff --git a/debian/changelog b/debian/changelog index 7a9582d..93aa9ec 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,8 +9,10 @@ python-urllib3 (1.7.1-1) UNRELEASED; urgency=low - Refreshed * debian/patches/05_fix_python3_syntax_error_in_ntlmpool.patch - Removed since fixed upstream + * debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch + - Removed since fixed upstream - -- Daniele Tricoli <eriol@mornie.org> Wed, 16 Oct 2013 17:33:45 +0200 + -- Daniele Tricoli <eriol@mornie.org> Wed, 16 Oct 2013 17:39:22 +0200 python-urllib3 (1.6-2) unstable; urgency=high diff --git a/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch b/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch deleted file mode 100644 index 57a4c06..0000000 --- a/debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch +++ /dev/null @@ -1,26 +0,0 @@ -Description: Fix possible abuse of ssl.match_hostname() for denial - of service using certificates with many wildcards (CVE-2013-2099) -Origin: http://hg.python.org/cpython/rev/c627638753e2 -Bug: http://bugs.python.org/issue17980 -Bug-Debian: http://bugs.debian.org/709070 - ---- a/urllib3/packages/ssl_match_hostname/__init__.py -+++ b/urllib3/packages/ssl_match_hostname/__init__.py -@@ -7,9 +7,16 @@ - class CertificateError(ValueError): - pass - --def _dnsname_to_pat(dn): -+def _dnsname_to_pat(dn, max_wildcards=1): - pats = [] - for frag in dn.split(r'.'): -+ if frag.count('*') > max_wildcards: -+ # Issue #17980: avoid denials of service by refusing more -+ # than one wildcard per fragment. A survery of established -+ # policy among SSL implementations showed it to be a -+ # reasonable choice. -+ raise CertificateError( -+ "too many wildcards in certificate DNS name: " + repr(dn)) - if frag == '*': - # When '*' is a fragment by itself, it matches a non-empty dotless - # fragment. |