ssl.match_hostname() IDNA issue¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
ssl.match_hostname(): sub string wildcard should not match IDNA prefix.
Change behavior of ssl.match_hostname() to follow RFC 6125, for
security reasons. It now doesn’t match multiple wildcards nor wildcards
inside IDN fragments.
Note that this function was only added to Python 2.7 in a backport to 2.7.9,
and was added in its fixed form, so no releases of Python 2.7 have this
vulnerability.
Dates:
Disclosure date: 2013-05-17 (Python issue bpo-17997 reported)
Fixed In¶
Python 3.3.3 (2013-11-17) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
Python 3.4.0 (2014-03-16) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
Python issue¶
ssl.match_hostname(): sub string wildcard should not match IDNA prefix.
Python issue: bpo-17997
Creation date: 2013-05-17
Reporter: Christian Heimes
CVE-2013-7440¶
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
CVE ID: CVE-2013-7440
Published: 2016-06-07
CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2013-05-17 as reference:
2013-05-17: Python issue bpo-17997 reported by Christian Heimes
2013-10-27 (+163 days): commit 72c98d3 (branch 3.3)
2013-11-17 (+184 days): Python 3.3.3 released
2014-03-16: Python 3.4.0 released
2016-06-07 (+1117 days): CVE-2013-7440 published