[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names

Andrew Starr-Bochicchio a.starr.b at gmail.com
Tue May 21 01:42:41 UTC 2013 

Fixed both upstream and Debian. Attached debdiff merges the fix from
Debian.

(I've dropped the Ubuntu change to Vcs fields as the UDD bzr imports for
both Debian and Ubuntu are out of date. So that branch isn't very
helpful. Yes, I realize that is a bit ironic...)

Changes since last Ubuntu version:

 bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low
 .
   * Merge from Debian unstable. Remaining Ubuntu changes:
    - Drop build dependencies on python-{meliae,lzma,medusa},
      which are not in main.
   * Drop changes to Vcs fields. The UDD imports are out of date.
 .
 bzr (2.6.0~bzr6574-1) unstable; urgency=low
 .
   * New upstream snapshot.
    - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single
      SSL cert hostname segment (Closes: #709068, LP: #1182124).
 .
 bzr (2.6.0~bzr6573-1) unstable; urgency=low
 .
   * Upload to unstable.
   * New upstream snapshot.
   * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test
     (LP: #1116079, #1160572).
   * Drop debian/patches/04_revert_ui_changes, fixed upstream.
   * Drop deprecated Dm-Upload-Allowed field.
   * Bump Standards-Version to 3.9.4, no changes needed.
   * Drop un-needed Build-Conflicts on python-gpgme.

** Patch added: "debian>ubuntu.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1182124/+attachment/3682448/+files/debian%3Eubuntu.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/1182124

Title:
  [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names

Status in Bazaar Version Control System:
  Fix Committed
Status in Python:
  Fix Released
Status in “bzr” package in Ubuntu:
  Triaged
Status in “bzr” package in Debian:
  Confirmed

Bug description:
  /bzrlib/transport/http/_urllib2_wrappers.py contains code from Python
  3.2's ssl module for which there has been a security issue found.

  Python Bug: http://bugs.python.org/issue17980
  CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6
  Probable fix: http://hg.python.org/cpython/rev/fafd33db6ff6/

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: bzr 2.6.0~bzr6571-4ubuntu2
  ProcVersionSignature: Ubuntu 3.8.0-21.32-generic 3.8.8
  Uname: Linux 3.8.0-21-generic x86_64
  ApportVersion: 2.9.2-0ubuntu8
  Architecture: amd64
  Date: Mon May 20 11:36:23 2013
  InstallationDate: Installed on 2013-03-16 (64 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130316)
  MarkForUpload: True
  PackageArchitecture: all
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: bzr
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions

More information about the foundations-bugs mailing list