ssl.match_hostname() IDNA issue¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
ssl.match_hostname()
: sub string wildcard should not match IDNA prefix.
Change behavior of ssl.match_hostname()
to follow RFC 6125, for
security reasons. It now doesn’t match multiple wildcards nor wildcards
inside IDN fragments.
Note that this function was only added to Python 2.7 in a backport to 2.7.9,
and was added in its fixed form, so no releases of Python 2.7 have this
vulnerability.
Dates:
- Disclosure date: 2013-05-17 (Python issue bpo-17997 reported)
Fixed In¶
- Python 3.3.3 (2013-11-17) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
- Python 3.4.0 (2014-03-16) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
Python issue¶
ssl.match_hostname(): sub string wildcard should not match IDNA prefix.
- Python issue: bpo-17997
- Creation date: 2013-05-17
- Reporter: Christian Heimes
CVE-2013-7440¶
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
- CVE ID: CVE-2013-7440
- Published: 2016-06-07
- CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2013-05-17 as reference:
- 2013-05-17: Python issue bpo-17997 reported by Christian Heimes
- 2013-10-27 (+163 days): commit 72c98d3 (branch 3.3)
- 2013-11-17 (+184 days): Python 3.3.3 released
- 2014-03-16: Python 3.4.0 released
- 2016-06-07 (+1117 days): CVE-2013-7440 published