[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names

Launchpad Bug Tracker 1182124 at bugs.launchpad.net
Wed May 22 16:37:14 UTC 2013 

This bug was fixed in the package bzr - 2.6.0~bzr6574-1ubuntu1

---------------
bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining Ubuntu changes:
   - Drop build dependencies on python-{meliae,lzma,medusa},
     which are not in main.
  * Drop changes to Vcs fields. The UDD imports are out of date.

bzr (2.6.0~bzr6574-1) unstable; urgency=low

  * New upstream snapshot.
   - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single
     SSL cert hostname segment (Closes: #709068, LP: #1182124).

bzr (2.6.0~bzr6573-1) unstable; urgency=low

  * Upload to unstable.
  * New upstream snapshot.
  * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test
    (LP: #1116079, #1160572).
  * Drop debian/patches/04_revert_ui_changes, fixed upstream.
  * Drop deprecated Dm-Upload-Allowed field.
  * Bump Standards-Version to 3.9.4, no changes needed.
  * Drop un-needed Build-Conflicts on python-gpgme.
 -- Andrew Starr-Bochicchio <a.starr.b at gmail.com>   Mon, 20 May 2013 20:55:13 -0400

** Changed in: bzr (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/1182124

Title:
  [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names

Status in Bazaar Version Control System:
  Fix Committed
Status in Python:
  Fix Released
Status in “bzr” package in Ubuntu:
  Fix Released
Status in “bzr” package in Debian:
  Fix Released

Bug description:
  /bzrlib/transport/http/_urllib2_wrappers.py contains code from Python
  3.2's ssl module for which there has been a security issue found.

  Python Bug: http://bugs.python.org/issue17980
  CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6
  Probable fix: http://hg.python.org/cpython/rev/fafd33db6ff6/

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: bzr 2.6.0~bzr6571-4ubuntu2
  ProcVersionSignature: Ubuntu 3.8.0-21.32-generic 3.8.8
  Uname: Linux 3.8.0-21-generic x86_64
  ApportVersion: 2.9.2-0ubuntu8
  Architecture: amd64
  Date: Mon May 20 11:36:23 2013
  InstallationDate: Installed on 2013-03-16 (64 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130316)
  MarkForUpload: True
  PackageArchitecture: all
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: bzr
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions

More information about the foundations-bugs mailing list