Ubuntu Security Notice 1983-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. This issue only affected Ubuntu 13.04. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.
9ab7514520e21d4cb81b76c6be2121d9d8ecc991fae05d293e5e8061b9f84a2a
============================================================================
Ubuntu Security Notice USN-1983-1
October 01, 2013
python2.7 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Python.
Software Description:
- python2.7: An interactive high-level object-oriented language
Details:
Florian Weimer discovered that Python incorrectly handled matching multiple
wildcards in ssl certificate hostnames. An attacker could exploit this to
cause Python to consume resources, resulting in a denial of service. This
issue only affected Ubuntu 13.04. (CVE-2013-2099)
Ryan Sleevi discovered that Python did not properly handle certificates
with NULL characters in the Subject Alternative Name field. An attacker
could exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications. (CVE-2013-4238)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python2.7 2.7.4-2ubuntu3.2
python2.7-minimal 2.7.4-2ubuntu3.2
Ubuntu 12.10:
python2.7 2.7.3-5ubuntu4.3
python2.7-minimal 2.7.3-5ubuntu4.3
Ubuntu 12.04 LTS:
python2.7 2.7.3-0ubuntu3.4
python2.7-minimal 2.7.3-0ubuntu3.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1983-1
CVE-2013-2099, CVE-2013-4238
Package Information:
https://launchpad.net/ubuntu/+source/python2.7/2.7.4-2ubuntu3.2
https://launchpad.net/ubuntu/+source/python2.7/2.7.3-5ubuntu4.3
https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.4