Mageia Bugzilla – Bug 10989
python new security issue CVE-2013-4238
Last modified: 2013-08-26 21:12:41 CEST
A CVE has been assigned to Python upstream issue 18709:
Proposed patches to fix it have been attached to the upstream issue report.
Oden has added these patches in Cauldron, as well as Mageia 2 and Mageia 3.
Note that there is also a PoC attached to the upstream issue report.
Given the mention of ssl.match_hostname on the upstream issue report, I wonder if this is related to CVE-2013-2099 (Bug 10391).
I'm not assigning this to QA just yet, as discussion of this is continuing as we speak on the upstream issue report.
If it's decided to go ahead with these patches, we'll fix CVE-2013-2099 for python3 in the process, as the patch for that was already in SVN.
Steps to Reproduce:
A CVE was assigned as CVE-2013-4073 was for ruby.
New CVE is CVE-2013-4238 as of:
so we should release an update for python and python3 for mga 3 with the patch included ?
if yes, I can take care of and at the same time fix mga 10102 for Python 3
Oden, thanks for updating the correct CVE number.
Philippe, the patch(es) for this are already committed, so if there are any further fixes you want to commit, go ahead, and we can fix this one with the same update.
done for mga3 rev 466128, this should fix MGA#10102
python3-3.3.0-4.3.mga3 is update testing
I guess that Oden did all the others builds need
Philippe, do you have some information to add to the advisory describing what else you've fixed?
This fix MGA#10102 : "Unable to install Python packages with C extensions via pip and virtualenv" :
Before the fix installing Python packages via pip inside a virtualenv fails if the Python package uses a C extension.
OK, let's use this bug for the python update and Bug 10391 for the python3 update.
Updated python packages fix security vulnerability:
Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL
module doesn't handle NULL bytes inside subjectAltNames general names. This
could lead to a breach when an application uses ssl.match_hostname() to match
the hostname againt the certificate's subjectAltName's dNSName general names.
Additionally, an issue with installing Python packages with C extensions via
pip and virtualenv has been fixed in Mageia 3 (mga#10102).
Updated packages in core/updates_testing:
The bug title (with python3) was correct, as this CVE affects both python and python3. I used the other bug (Bug 10391) to handle the python3 update to separate these and make it easier for QA, but we are fixing this CVE for python3 as well.
No PoC so just testing python & tkinter using random examples from here, run in idle: http://wiki.python.org/moin/SimplePrograms
Testing complete mga3 64
Testing complete mga2 64
There's a PoC attached here:
No idea how to use the certificate on the link David. If you can point us in the right direction I'm happy to check it again.
Testing complete mga2-32 for now.
Yeah, sorry. I just looked at the ssl module and I don't even see match_hostname(), so I don't know how to use it either.
Testing complete mag3_32, ok for me nothing to report python works fine.
Could sysadmin please push from 2 & 3 core/updates_testing to updates
Looks like I screwed up on this one...the correct CVE is 4238, as it says in the bug title. The advisory has it typoed as 4328. This also happened in the Bug 10391 update.
Advisory 10989.adv corrected in svn.