exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 9 of 9 RSS Feed

CVE-2013-2099

Status Candidate

Overview

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

Related Files

Red Hat Security Advisory 2016-1166-01
Posted May 31, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1166-01 - Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. Security Fix: The following fix was applied to the python component: The Python standard library HTTP client modules did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2013-2099, CVE-2013-7440
SHA-256 | 116aa091e5b51bb4e976b645fbaaff53c6753ebb9b4ca77c61747631d4c5f4c6
Red Hat Security Advisory 2015-0042-01
Posted Jan 14, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0042-01 - The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install ssh keys and to let the user run various scripts. A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU. This issue was discovered by Florian Weimer of Red Hat Product Security.

tags | advisory, remote, denial of service, python
systems | linux, redhat
advisories | CVE-2013-2099
SHA-256 | 6706af2caac638d9939aa28f31ae15f6d34e9050051252c075201903cea2c614
Red Hat Security Advisory 2014-1690-01
Posted Oct 22, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1690-01 - The python-backports-ssl_match_hostname package provides RFC 6125 compliant wildcard matching. A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU. This issue was discovered by Florian Weimer of Red Hat Product Security.

tags | advisory, remote, denial of service, python
systems | linux, redhat
advisories | CVE-2013-2099
SHA-256 | 630f007e3d3cbb97e3d958feade33386613235e76e9498f96c508f28f5197ea2
Red Hat Security Advisory 2014-1263-01
Posted Sep 18, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1263-01 - Red Hat Storage is software-only, scale-out storage that provides flexible and affordable unstructured data storage for an enterprise. GlusterFS, a key building block of Red Hat Storage, is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.

tags | advisory, remote, denial of service, python
systems | linux, redhat
advisories | CVE-2013-2099
SHA-256 | 07935517a1160d0ddf3e661cb88a20de2f6f667843baa9ea71638f4e8bdc0550
Gentoo Linux Security Advisory 201401-04
Posted Jan 6, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201401-4 - Multiple vulnerabilities have been found in Python, worst of which allows remote attackers to cause a Denial of Service condition. Versions less than 3.3.2-r1 are affected.

tags | advisory, remote, denial of service, vulnerability, python
systems | linux, gentoo
advisories | CVE-2010-1634, CVE-2010-2089, CVE-2010-3492, CVE-2010-3493, CVE-2011-1015, CVE-2012-0845, CVE-2012-1150, CVE-2013-2099
SHA-256 | ea1459ef6b2a4cd82ae9954fd97f9d0188e19037466f94dc888a2a8b46709ebc
Ubuntu Security Notice USN-1985-1
Posted Oct 1, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1985-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.

tags | advisory, denial of service, python
systems | linux, ubuntu
advisories | CVE-2013-2099, CVE-2013-4238, CVE-2013-2099, CVE-2013-4238
SHA-256 | 0f366392969f20155d45311d551bc121f8cca2af29a02d07e5e1e546d84e407f
Ubuntu Security Notice USN-1983-1
Posted Oct 1, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1983-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. This issue only affected Ubuntu 13.04. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.

tags | advisory, denial of service, python
systems | linux, ubuntu
advisories | CVE-2013-2099, CVE-2013-4238, CVE-2013-2099, CVE-2013-4238
SHA-256 | 9ab7514520e21d4cb81b76c6be2121d9d8ecc991fae05d293e5e8061b9f84a2a
Ubuntu Security Notice USN-1984-1
Posted Oct 1, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1984-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.

tags | advisory, denial of service, python
systems | linux, ubuntu
advisories | CVE-2013-2099, CVE-2013-4238, CVE-2013-2099, CVE-2013-4238
SHA-256 | c673c920639adac95e57596bc8aab64ff8ca0183257ddb8017aaad829ee17e9a
Mandriva Linux Security Advisory 2013-229
Posted Sep 10, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-229 - A denial of service flaw was found in the way SSL module implementation of Python 3 performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality.

tags | advisory, remote, denial of service, python
systems | linux, mandriva
advisories | CVE-2013-2099
SHA-256 | e55f4fdbd1dac58bc000e9004a9873f1d5b813753890f488ddd4a4260314a28c
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close