.. _ssl-match_hostname-idna: ssl.match_hostname() IDNA issue =============================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. ``ssl.match_hostname()``: sub string wildcard should not match IDNA prefix. Change behavior of ``ssl.match_hostname()`` to follow RFC 6125, for security reasons. It now doesn't match multiple wildcards nor wildcards inside IDN fragments. Note that this function was only added to Python 2.7 in a backport to 2.7.9, and was added in its fixed form, so no releases of Python 2.7 have this vulnerability. Dates: * Disclosure date: **2013-05-17** (Python issue bpo-17997 reported) Fixed In -------- * Python **3.3.3** (2013-11-17) fixed by `commit 72c98d3 (branch 3.3) `_ (2013-10-27) * Python **3.4.0** (2014-03-16) fixed by `commit 72c98d3 (branch 3.3) `_ (2013-10-27) Python issue ------------ ssl.match_hostname(): sub string wildcard should not match IDNA prefix. * Python issue: `bpo-17997 `_ * Creation date: 2013-05-17 * Reporter: Christian Heimes CVE-2013-7440 ------------- The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate. * CVE ID: `CVE-2013-7440 `_ * Published: 2016-06-07 * `CVSS Score `_: 4.3 Timeline -------- Timeline using the disclosure date **2013-05-17** as reference: * 2013-05-17: `Python issue bpo-17997 `_ reported by Christian Heimes * 2013-10-27 (**+163 days**): `commit 72c98d3 (branch 3.3) `_ * 2013-11-17 (**+184 days**): Python 3.3.3 released * 2014-03-16: Python 3.4.0 released * 2016-06-07 (**+1117 days**): CVE-2013-7440 published Links ----- * https://tools.ietf.org/html/rfc6125