CVE-2013-4238: Input Validation
First published: Tue Aug 13 2013(Updated: )
A flaw was found in the way ssl.match_hostname() from the Python SSL module checked the hostname's identity when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. References: <a href="http://bugs.python.org/issue18709">http://bugs.python.org/issue18709</a> <a href="http://bugs.python.org/file31241/CVE-2013-4073_py34.patch">http://bugs.python.org/file31241/CVE-2013-4073_py34.patch</a> <a href="http://bugs.python.org/file31242/CVE-2013-4073_py33.patch">http://bugs.python.org/file31242/CVE-2013-4073_py33.patch</a> <a href="http://bugs.python.org/file31243/CVE-2013-4073_py27.patch">http://bugs.python.org/file31243/CVE-2013-4073_py27.patch</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ubuntu Linux | =10.04 | |
| Python Programming Language | =2.6.1 | |
| Python Programming Language | =2.6.2 | |
| Python Programming Language | =2.6.3 | |
| Python Programming Language | =2.6.4 | |
| Python Programming Language | =2.6.5 | |
| Python Programming Language | =2.6.6 | |
| Python Programming Language | =2.6.7 | |
| Python Programming Language | =2.6.8 | |
| Python Programming Language | =2.6.2150 | |
| Python Programming Language | =2.6.6150 | |
| Python Programming Language | =2.7.1 | |
| Python Programming Language | =2.7.1-rc1 | |
| Python Programming Language | =2.7.2-rc1 | |
| Python Programming Language | =2.7.3 | |
| Python Programming Language | =2.7.1150 | |
| Python Programming Language | =2.7.1150 | |
| Python Programming Language | =2.7.2150 | |
| Python Programming Language | =3.0 | |
| Python Programming Language | =3.0.1 | |
| Python Programming Language | =3.1 | |
| Python Programming Language | =3.1.1 | |
| Python Programming Language | =3.1.2 | |
| Python Programming Language | =3.1.3 | |
| Python Programming Language | =3.1.4 | |
| Python Programming Language | =3.1.5 | |
| Python Programming Language | =3.1.2150 | |
| Python Programming Language | =3.2 | |
| Python Programming Language | =3.2-alpha | |
| Python Programming Language | =3.2.3 | |
| Python Programming Language | =3.2.2150 | |
| Python Programming Language | =3.3 | |
| Python Programming Language | =3.3-beta2 | |
| Python Programming Language | =3.4-alpha1 | |
| openSUSE | =11.4 | |
| openSUSE | =12.2 | |
| openSUSE | =12.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugs.python.org/issue18709
- http://bugs.python.org/file31241/CVE-2013-4073_py34.patch
- http://bugs.python.org/file31242/CVE-2013-4073_py33.patch
- http://bugs.python.org/file31243/CVE-2013-4073_py27.patch
- https://access.redhat.com/security/cve/CVE-2013-4073
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=979251
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996400
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996401
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996403
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996405
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996408
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996409
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996410
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996402
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996404
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996406
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996407
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=996399
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=998430
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=788301
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=788301&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=788302
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=788302&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=998783
- https://rhn.redhat.com/errata/RHSA-2013-1582.html
- https://rhn.redhat.com/errata/RHSA-2013-1527.html
- https://bugzilla.redhat.com/show_bug.cgi?id=996381
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00026.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00027.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00028.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00029.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00042.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00043.html
- http://rhn.redhat.com/errata/RHSA-2013-1582.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://www.debian.org/security/2014/dsa-2880
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.ubuntu.com/usn/USN-1982-1
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- agent/remedy
- agent/first-publish-date
- agent/type
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4238
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/10.04
- vendor/python
- canonical/python programming language
- version/python programming language/2.6.1
- version/python programming language/2.6.2
- version/python programming language/2.6.3
- version/python programming language/2.6.4
- version/python programming language/2.6.5
- version/python programming language/2.6.6
- version/python programming language/2.6.7
- version/python programming language/2.6.8
- version/python programming language/2.6.2150
- version/python programming language/2.6.6150
- version/python programming language/2.7.1
- version/python programming language/2.7.1-rc1
- version/python programming language/2.7.2-rc1
- version/python programming language/2.7.3
- version/python programming language/2.7.1150
- version/python programming language/2.7.2150
- version/python programming language/3.0
- version/python programming language/3.0.1
- version/python programming language/3.1
- version/python programming language/3.1.1
- version/python programming language/3.1.2
- version/python programming language/3.1.3
- version/python programming language/3.1.4
- version/python programming language/3.1.5
- version/python programming language/3.1.2150
- version/python programming language/3.2
- version/python programming language/3.2-alpha
- version/python programming language/3.2.3
- version/python programming language/3.2.2150
- version/python programming language/3.3
- version/python programming language/3.3-beta2
- version/python programming language/3.4-alpha1
- vendor/opensuse
- canonical/opensuse
- version/opensuse/11.4
- version/opensuse/12.2
- version/opensuse/12.3