Fluid Attacks Database

Description

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-urllib3	>=0 <1.6-2	1.6-2
debian 11	linkchecker	>=0 <8.5-1	8.5-1
debian 11	python2.7	>=0 <2.7.5-5	2.7.5-5
debian 11	python-tornado	>=0 <2.4.1-3	2.4.1-3
debian 11	bzr	>=0 <2.6.0~bzr6574-1	2.6.0~bzr6574-1
debian 11	python-urllib3	>=0 <1.6-2	1.6-2
debian 12	python-tornado	>=0 <2.4.1-3	2.4.1-3
debian 12	bzr	>=0 <2.6.0~bzr6574-1	2.6.0~bzr6574-1
debian 12	linkchecker	>=0 <8.5-1	8.5-1
debian 13	python-tornado	>=0 <2.4.1-3	2.4.1-3

1-10 of 18

Aliases

1. CVE-2013-20992. NVD-2013-20993. OSV-DEBIAN-2013-20994. OSV-2013-20995. GCVE-2013-20996. SECURITY-TRACKER-CVE-2013-20997. bugzilla.redhat.com

References

1. http://bugs.python.org/issue17980

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.