security bug: match_hostname function from system ssl module should be used
Petr Stodulka
pstodulk at redhat.com
Tue Jul 21 13:54:27 UTC 2015
Hi,
bzr's contains a copy of match_hostname implementation from Python 3
which wildcard matching rules do not follow RFC 6125, in consequence it
can be
used for DoS attack [0] . Since Python v2.7.9 is ssl.match_hostname
fully merged
into the standard library and should be used instead of implementation
inside
bzrlib/transport/http/_urllib2_wrappers.py
Possible patch is available here [2]. May tests for matching hostname
could be removed
completely, when ssl library is used.
Petr
--------
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1224999
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1230678
[2] https://bugzilla.redhat.com/attachment.cgi?id=1054367
More information about the bazaar
mailing list