Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <519C6EF4.9020502@redhat.com>
Date: Wed, 22 May 2013 01:08:36 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Tomas Hoger <thoger@...hat.com>, Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>,
        Ian Weller <ianweller@...oraproject.org>
Subject: Re: CVE Request (minor) -- Python 3.2: DoS when matching
 certificate with many '*' wildcard characters {was: CVE Request
 (minor) --  python-backports-ssl_match_hostname: Denial of service when matching
 certificate with many '*' wildcard characters }

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/20/2013 01:21 PM, Tomas Hoger wrote:
> On Wed, 15 May 2013 19:51:38 -0600 Kurt Seifried wrote:
> 
>> On 05/15/2013 05:28 AM, Jan Lieskovsky wrote:
> 
>>> Replying to myself here. Issue is present in Python 3.2 code
>>> too - so the CVE should be allocated for the original (Python
>>> 3.2) code, rather than to python-backports-ssl_match_hostname
>>> package.
> 
> ...
> 
>> Please use CVE-2013-2099 for this issue.
> 
> There should be no need for two separate CVEs for this issue. 
> Problematic match_hostname was developed in Python 3.  As its 
> functionality is needed by Python 2 users, and it is not provided
> by the standard library, Python 3 implementation was made available
> via different module.  It's the same code, packaged in python (3.x)
> and python-backports-ssl_match_hostname packages.  The same CVE
> should apply to both.
> 
> Given that CVE-2013-2099 was assigned to Python 3 ssl,
> CVE-2013-2098 seems like the one to reject as dupe.


My reasoning here was that Python 2 and 3 constitute "forked" or
separate code bases, so fall under CVE SPLIT.evidence includes:

1) Python 2to3, a lot of Python code needs work to move from 2 to 3
2) This feature was added as standard in Python 3 and then later back
ported to 2

Steve, can we get a referees decision here? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRnG70AAoJEBYNRVNeJnmTpEYP/jfly9dWKELpKrVdjXr7pKaU
KxwJSr2PlNA0p0vN91ESKZYsCBcGV/jnPU8YqhyW6WiFbTcpM7s8Kv7QGN+urQkB
NK0R7QNcZHb0e7/5NGkMyVFHZMivICsyOpjn8RgX39CC+OypjLCVln5cBctKvBvF
uYjf1GNOVW3EImTxGDa6xe04pqXRW1+g9E4jwaeDLNQSaB60j4QU2XmoSwsxvcor
LH2OAU3ZTaGztxLzQHfptaqV8XzeWvR8lRKduFcI8Yo6Y0peicBkTirzitLC+vDi
ZD6WX+ru7pyxNlMwfIss7H+xXQon/zCZO8Q8DTRGRTweLSMGyzVh7I2h6Xx2PfMo
2JFTJP6mEokPa9OEHZdEwkfwQGFGG2vKemrKgu7Ya+sDoNmSpNmU3jQAefUClW0b
1FGVGB2Q2gg4v2ZXyYGWSoYVBb9+Bg/d4eaJjNr2OxJh7Xlgc26f1aa9pbka6Xg/
M5sgMQwMD8ZMSuX2SY0RbiAcswQDbb5MWzcJZaeTsSqRZ5aEh+4y0VdMHAoXyiSm
+P6NcKQHYgOP/lnR7CRYjy6PgGVGW00RK0bufpR3bVbKLRAwbomVpyicJkreQag5
dO2RTGTdUnYdyFkvXUGGjrYrDi28yNt9ELn5N0fv3ChwK+dYJBMnxcQF2tIgyI9g
UdInSDJvngF8rE2QhQ0+
=tg8P
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.