exploit the possibilities
Showing 1 - 9 of 9 RSS Feed

CVE-2013-2099

Status Candidate

Overview

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

Related Files

Red Hat Security Advisory 2016-1166-01
Posted May 31, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1166-01 - Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. Security Fix: The following fix was applied to the python component: The Python standard library HTTP client modules did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data.

tags | advisory, web, python
systems | linux, redhat
advisories | CVE-2013-2099, CVE-2013-7440
MD5 | eb14dd1081988f81d83fb63991cc2460
Red Hat Security Advisory 2015-0042-01
Posted Jan 14, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0042-01 - The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install ssh keys and to let the user run various scripts. A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU. This issue was discovered by Florian Weimer of Red Hat Product Security.

tags | advisory, remote, denial of service, python
systems | linux, redhat
advisories | CVE-2013-2099
MD5 | 2541e8505ef947e95dbb0fc814ac0b4b
Red Hat Security Advisory 2014-1690-01
Posted Oct 22, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1690-01 - The python-backports-ssl_match_hostname package provides RFC 6125 compliant wildcard matching. A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU. This issue was discovered by Florian Weimer of Red Hat Product Security.

tags | advisory, remote, denial of service, python
systems | linux, redhat
advisories | CVE-2013-2099
MD5 | 0ef994ff3cfd7c6524f7b9b70f4104d7
Red Hat Security Advisory 2014-1263-01
Posted Sep 18, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1263-01 - Red Hat Storage is software-only, scale-out storage that provides flexible and affordable unstructured data storage for an enterprise. GlusterFS, a key building block of Red Hat Storage, is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.

tags | advisory, remote, denial of service, python
systems | linux, redhat
advisories | CVE-2013-2099
MD5 | 4670c4aa83b192f032647146bf5fbc5d
Gentoo Linux Security Advisory 201401-04
Posted Jan 6, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201401-4 - Multiple vulnerabilities have been found in Python, worst of which allows remote attackers to cause a Denial of Service condition. Versions less than 3.3.2-r1 are affected.

tags | advisory, remote, denial of service, vulnerability, python
systems | linux, gentoo
advisories | CVE-2010-1634, CVE-2010-2089, CVE-2010-3492, CVE-2010-3493, CVE-2011-1015, CVE-2012-0845, CVE-2012-1150, CVE-2013-2099
MD5 | 9388c3a826bad9d0f5b92b7964b28ae6
Ubuntu Security Notice USN-1985-1
Posted Oct 1, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1985-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.

tags | advisory, denial of service, python
systems | linux, ubuntu
advisories | CVE-2013-2099, CVE-2013-4238, CVE-2013-2099, CVE-2013-4238
MD5 | 30dd161fd7f10f0022dade719a6d4f5d
Ubuntu Security Notice USN-1983-1
Posted Oct 1, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1983-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. This issue only affected Ubuntu 13.04. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.

tags | advisory, denial of service, python
systems | linux, ubuntu
advisories | CVE-2013-2099, CVE-2013-4238, CVE-2013-2099, CVE-2013-4238
MD5 | 25d866b12b48af0ef408ee77c8a071fa
Ubuntu Security Notice USN-1984-1
Posted Oct 1, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1984-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.

tags | advisory, denial of service, python
systems | linux, ubuntu
advisories | CVE-2013-2099, CVE-2013-4238, CVE-2013-2099, CVE-2013-4238
MD5 | 0e5f515994007e24c3f0444a767d34fc
Mandriva Linux Security Advisory 2013-229
Posted Sep 10, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-229 - A denial of service flaw was found in the way SSL module implementation of Python 3 performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality.

tags | advisory, remote, denial of service, python
systems | linux, mandriva
advisories | CVE-2013-2099
MD5 | 115f04300c8aadd79b8c495a5a32f43a
Page 1 of 1
Back1Next

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close