ssl.match_hostname() IDNA issue¶
ssl.match_hostname(): sub string wildcard should not match IDNA prefix.
Change behavior of ssl.match_hostname() to follow RFC 6125, for
security reasons. It now doesn’t match multiple wildcards nor wildcards
inside IDN fragments.
Note that this function was only added to Python 2.7 in a backport to 2.7.9,
and was added in its fixed form, so no releases of Python 2.7 have this
vulnerability.
Dates:
- Disclosure date: 2013-05-17 (Python issue bpo-17997 reported)
Fixed In¶
- Python 3.3.3 (2013-11-17) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
- Python 3.4.0 (2014-03-16) fixed by commit 72c98d3 (branch 3.3) (2013-10-27)
Python issue¶
ssl.match_hostname(): sub string wildcard should not match IDNA prefix.
- Python issue: bpo-17997
- Creation date: 2013-05-17
- Reporter: Christian Heimes
CVE-2013-7440¶
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
- CVE ID: CVE-2013-7440
- Published: 2016-06-07
- CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2013-05-17 as reference:
- 2013-05-17: Python issue bpo-17997 reported by Christian Heimes
- 2013-10-27 (+163 days): commit 72c98d3 (branch 3.3)
- 2013-11-17 (+184 days): Python 3.3.3 released
- 2014-03-16: Python 3.4.0 released
- 2016-06-07 (+1117 days): CVE-2013-7440 published