[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Changed in: bzr Milestone: 2.6b3 = 2.6.0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Changed in: bzr Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Branch linked: lp:~debian-bazaar/bzr/2.6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
Note: there's now a backports module on pypi for this function: https://pypi.python.org/pypi/backports.ssl_match_hostname/ However, it hasn't fixed this CVE upstream as fast as you have :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
Merge in comment #2 looks good. Thanks! Uploaded to saucy. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
This bug was fixed in the package bzr - 2.6.0~bzr6574-1ubuntu1 --- bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining Ubuntu changes: - Drop build dependencies on python-{meliae,lzma,medusa}, which are not in main. * Drop changes to Vcs fields. The UDD imports are out of date. bzr (2.6.0~bzr6574-1) unstable; urgency=low * New upstream snapshot. - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single SSL cert hostname segment (Closes: #709068, LP: #1182124). bzr (2.6.0~bzr6573-1) unstable; urgency=low * Upload to unstable. * New upstream snapshot. * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test (LP: #1116079, #1160572). * Drop debian/patches/04_revert_ui_changes, fixed upstream. * Drop deprecated Dm-Upload-Allowed field. * Bump Standards-Version to 3.9.4, no changes needed. * Drop un-needed Build-Conflicts on python-gpgme. -- Andrew Starr-Bochicchio a.star...@gmail.com Mon, 20 May 2013 20:55:13 -0400 ** Changed in: bzr (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Changed in: bzr (Debian) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Changed in: bzr Status: Triaged = In Progress ** Changed in: bzr Assignee: (unassigned) = Andrew Starr-Bochicchio (andrewsomething) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Changed in: bzr (Debian) Status: Unknown = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Changed in: python Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Branch linked: lp:~andrewsomething/bzr/CVE-2013-2099 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Changed in: bzr (Ubuntu) Status: Triaged = In Progress ** Changed in: bzr (Ubuntu) Assignee: (unassigned) = Andrew Starr-Bochicchio (andrewsomething) ** Changed in: bzr Status: In Progress = Fix Committed ** Changed in: bzr Milestone: None = 2.6b3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
Fixed both upstream and Debian. Attached debdiff merges the fix from Debian. (I've dropped the Ubuntu change to Vcs fields as the UDD bzr imports for both Debian and Ubuntu are out of date. So that branch isn't very helpful. Yes, I realize that is a bit ironic...) Changes since last Ubuntu version: bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low . * Merge from Debian unstable. Remaining Ubuntu changes: - Drop build dependencies on python-{meliae,lzma,medusa}, which are not in main. * Drop changes to Vcs fields. The UDD imports are out of date. . bzr (2.6.0~bzr6574-1) unstable; urgency=low . * New upstream snapshot. - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single SSL cert hostname segment (Closes: #709068, LP: #1182124). . bzr (2.6.0~bzr6573-1) unstable; urgency=low . * Upload to unstable. * New upstream snapshot. * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test (LP: #1116079, #1160572). * Drop debian/patches/04_revert_ui_changes, fixed upstream. * Drop deprecated Dm-Upload-Allowed field. * Bump Standards-Version to 3.9.4, no changes needed. * Drop un-needed Build-Conflicts on python-gpgme. ** Patch added: debianubuntu.debdiff https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1182124/+attachment/3682448/+files/debian%3Eubuntu.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1182124] Re: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names
** Patch added: old.ubuntunew.ubuntu.debdiff https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1182124/+attachment/3682449/+files/old.ubuntu%3Enew.ubuntu.debdiff ** Changed in: bzr (Ubuntu) Status: In Progress = Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1182124 Title: [CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names To manage notifications about this bug go to: https://bugs.launchpad.net/bzr/+bug/1182124/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs