[Python-Dev] SSL issues in Python stdlib and 3rd party code

Terry Reedy tjreedy at udel.edu
Tue Aug 13 18:37:45 CEST 2013

On 8/13/2013 5:06 AM, Christian Heimes wrote:
> Hash: SHA512
> CVE-2013-4238 has been signed to NULL bytes in subjectAltName issue.

>    http://bugs.python.org/issue18709
>    http://www.openwall.com/lists/oss-security/2013/08/13/2
> Should we assign a CVE to issue in ssl.match_hostname(), too? Even
> more projects have copied our code (bzr, tornado, pip, setuptools):
>    http://bugs.python.org/issue17997
>    https://bugs.mageia.org/show_bug.cgi?id=10391
>    https://bugzilla.redhat.com/show_bug.cgi?id=963260#c11

I personlly thought that the CVE people did the assigning, or are you 
talking about asking them? What are the implications of 'yes' versus 
'no'? If a number would get more attention, and you think that needed, 
do it.

Terry Jan Reedy

More information about the Python-Dev mailing list