security bug: match_hostname function from system ssl module should be used

Petr Stodulka pstodulk at
Tue Jul 21 13:54:27 UTC 2015


bzr's contains a copy of match_hostname implementation from Python 3
which wildcard matching rules do not follow RFC 6125, in consequence it 
can be
used for DoS attack [0] . Since Python v2.7.9 is ssl.match_hostname 
fully merged
into the standard library and should be used instead of implementation 


Possible patch is available here [2]. May tests for matching hostname 
could be removed
completely, when ssl library is used.



More information about the bazaar mailing list