CVE-2013-2098: Denial of service when matching certificate with many '*' wildcard characters

Issue #1 resolved
Ian Weller
created an issue

Submitting this bug upstream from Fedora.

CVE number CVE-2013-2098 has been assigned by the Red Hat Security Response Team.

A denial of service flaw was found in the way python-backports-ssl_match_hostname, an implementation that brings the ssl.match_hostname() function from Python 3.2 to users of earlier versions of Python, performed matching of the certificate's name in the case it contained many '' wildcard characters. A remote attacker, able to obtain valid certificate [] with its name containing a lot of '*' wildcard characters, could use this flaw to cause denial of service (excessive CPU time consumption) by issuing request to validate that certificate for / in an application using the python-backports-ssl_match_hostname functionality.

Upstream bug report (now has a patch, not committed yet):

Red Hat Bugzilla tracking bug:

Comments (3)

  1. Log in to comment