Bug 11206

Summary: python-OpenSSL - hostname check bypassing vulnerability (CVE-2013-4314)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, luigiwalser, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/566722/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK has_procedure
Source RPM: python-OpenSSL CVE:
Status comment:
Attachments: Script for testing https connection.

Description Oden Eriksson 2013-09-09 17:21:48 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=1005325

" Vincent Danen 2013-09-06 12:24:39 EDT

The pyOpenSSL module implements hostname identity checks but it did not properly handle hostnames in the certificate that contain null bytes.  In all releases prior to 0.13.1, the string formatting of subjectAltName X509Extension instances incorrectly truncated fields of the name when encountering the null byte.

When a CA than an SSL client trusts issues a server certificate that has a null byte in the subjectAltName, remote attackers can obtain a certifcate for 'www.foo.org\0.example.com' from the CA to spoof 'www.foo.org' and conduct man-in-the-middle attacks between the pyOpenSSL-using client and SSL servers.

[1] https://mail.python.org/pipermail/pyopenssl-users/2013-September/000478.html"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-09-09 17:22:55 CEST 
python-OpenSSL-0.12-1.1.mga2, python-OpenSSL-0.13-2.1.mga3 and python-OpenSSL-0.13.1-1.mga4 has been submitted where this is fixed.
Comment 2 David Walser 2013-09-09 19:15:58 CEST 
Advisory:
========================

Updated python-OpenSSL package fixes security vulnerability:

The string formatting of subjectAltName X509Extension instances in pyOpenSSL
before 0.13.1 incorrectly truncated fields of the name when encountering a
null byte, possibly allowing man-in-the-middle attacks through certificate
spoofing (CVE-2013-4314).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4314
https://mail.python.org/pipermail/pyopenssl-users/2013-September/000478.html
https://bugzilla.redhat.com/show_bug.cgi?id=1005325
========================

Updated packages in core/updates_testing:
========================
python-OpenSSL-0.12-1.1.mga2
python-OpenSSL-0.13-2.1.mga3

from SRPMS:
python-OpenSSL-0.12-1.1.mga2.src.rpm
python-OpenSSL-0.13-2.1.mga3.src.rpm

Version: 2 => 3
Assignee: bugsquad => qa-bugs
Summary: CVE-2013-4314: python-OpenSSL - hostname check bypassing vulnerability => python-OpenSSL - hostname check bypassing vulnerability (CVE-2013-4314)
Whiteboard: (none) => MGA2TOO
Severity: normal => major

Comment 3 Dave Hodgins 2013-09-11 01:18:07 CEST 
Created attachment 4345 [details]
Script for testing https connection.

CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2013-09-11 01:27:55 CEST 
Testing complete m2 and m3, both arches.

Advisory 11206.adv committed to svn.

Someone from the sysadmin team please push 11206.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK has_procedure
CC: (none) => sysadmin-bugs

Comment 5 David Walser 2013-09-13 18:05:50 CEST 
Mandriva has issued an advisory for this today (September 13):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:233/

URL: http://www.openwall.com/lists/oss-security/2013/09/06/2 => http://lwn.net/Vulnerabilities/566722/
CC: (none) => luigiwalser

Comment 6 Nicolas Vigier 2013-09-13 22:22:30 CEST 
http://advisories.mageia.org/MGASA-2013-0277.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:04:23 CEST

CC: boklm => (none)