ssl: NULL in subjectAltNames

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

SSL module fails to handle NULL bytes inside subjectAltNames general names.

It’s related to Ruby’s CVE-2013-4073.

Issue #18709 reported by Christian Heimes at 2013-08-12.

Dates:

  • Disclosure date: 2013-06-27 (Ruby issue)
  • Reported by: Ryan Sleevi of the Google Chrome Security Team

Fixed In

Python issue

SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238).

  • Python issue: bpo-18709
  • Creation date: 2013-08-12
  • Reporter: Christian Heimes

CVE-2013-4238

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a ‘0’ character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Timeline

Timeline using the disclosure date 2013-06-27 as reference:

  • 2013-06-27: Disclosure date (Ruby issue)
  • 2013-08-12 (+46 days): Python issue bpo-18709 reported by Christian Heimes
  • 2013-08-16 (+50 days): commit 824f7f3 (branch 3.3)
  • 2013-08-18 (+52 days): CVE-2013-4238 published
  • 2013-08-23 (+57 days): commit 82f8828 (branch 2.7)
  • 2013-10-29 (+124 days): Python 2.6.9 released
  • 2013-11-10 (+136 days): Python 2.7.6 released
  • 2013-11-17 (+143 days): Python 3.3.3 released
  • 2014-03-16: Python 3.4.0 released
  • 2014-09-30 (+460 days): commit ec3c103 (branch 3.2)
  • 2014-10-12 (+472 days): Python 3.2.6 released