{"id":"MGASA-2013-0252","summary":"Updated python3, bzr and some python packages fix security vulnerabilties","details":"Updated python3 packages fix security vulnerabilities:\n\nA denial of service flaw was found in the way SSL module implementation of\nPython 3 performed matching of the certificate's name in the case it contained\nmany '*' wildcard characters. A remote attacker, able to obtain valid\ncertificate with its name containing a lot of '*' wildcard characters could use\nthis flaw to cause denial of service (excessive CPU consumption) by issuing\nrequest to validate such a certificate for / to an application using the\nPython's ssl.match_hostname() functionality (CVE-2013-2099).\n\nRyan Sleevi of the Google Chrome Security Team has discovered that Python's SSL\nmodule doesn't handle NULL bytes inside subjectAltNames general names. This\ncould lead to a breach when an application uses ssl.match_hostname() to match\nthe hostname againt the certificate's subjectAltName's dNSName general names.\n(CVE-2013-4238).\n\nAdditionally, a linking issue when compiling C extensions for Python 3 has been\nfixed in Mageia 3 (mga#9395).\n\nThe CVE-2013-2099 issue also affects bzr, python-requests, python-tornado,\npython-pip, and python-virtualenv, and those have been updated as well.\n","modified":"2026-04-16T01:45:57.029337935Z","published":"2013-08-22T17:58:14Z","upstream":["CVE-2013-2099","CVE-2013-4238"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0252.html"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099"},{"type":"REPORT","url":"http://bugs.python.org/issue18709"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=9395"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=10989"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=10391"}],"affected":[{"package":{"name":"python3","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/python3?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.3-1.5.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"python-tornado","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/python-tornado?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.1-1.1.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"bzr","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/bzr?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.1-1.1.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"python3","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/python3?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.0-4.3.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"python-pip","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/python-pip?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.1-2.1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"python-tornado","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/python-tornado?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3-2.1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"bzr","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/bzr?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.1-3.1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"python-requests","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/python-requests?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.13.5-2.1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}},{"package":{"name":"python-virtualenv","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/python-virtualenv?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.9.1-1.2.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0252.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}