[Openstack-security] Python SSL vulnerability
Jeffrey Walton
noloader at gmail.com
Fri Oct 4 19:02:38 UTC 2013
On Fri, Oct 4, 2013 at 10:07 AM, Clark, Robert Graham
<robert.clark at hp.com> wrote:
> Hi Guys,
>
> Worth flagging this here in case anyone missed it, I thought we were past the NULL Cname issues in SSL libraries, I guess not:
>
> http://www.ubuntu.com/usn/usn-1983-1/
Yeah, I was surprised to see Moxie's NULL trick still being used
considering it dates back to 2009
(http://hackaday.com/2009/07/29/black-hat-2009-breaking-ssl-with-null-characters/).
I think CVE-2013-2099 is a little different, though. Python has a
history of hostname matching problems (cf, rejected bug report at
http://bugs.python.org/issue1589); and OpenSSL does not perform
hostname checking at the moment (its in HEAD and slated for OpenSSL
1.1.0).
I believe Squid and/or libcurl has test certificates built for testing
those adverse conditions (I'm fairly certain about libcurl, but I
can't find Daniel's post at the moment).
Jeff
More information about the Openstack-security
mailing list