bzr: denial of service [LWN.net]

Package(s):

bzr

CVE #(s):

CVE-2013-2099 CVE-2013-2098

Created:

June 7, 2013

Updated:

September 10, 2013

Description:

From the Red Hat bug report:

A denial of service flaw was found in the way SSL module implementation of Python3, version 3 of the Python programming language (aka Python 3000), performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality.

Alerts:

Fedora	FEDORA-2013-9628	2013-06-07
Fedora	FEDORA-2013-9620	2013-06-07
Fedora	FEDORA-2013-12414	2013-07-15
Fedora	FEDORA-2013-12396	2013-07-15
Fedora	FEDORA-2013-12421	2013-07-15
Fedora	FEDORA-2013-13216	2013-07-26
Fedora	FEDORA-2013-13140	2013-07-26
Fedora	FEDORA-2013-13213	2013-07-26
Mageia	MGASA-2013-0252	2013-08-22
Mandriva	MDVSA-2013:229	2013-09-10
Ubuntu	USN-1983-1	2013-10-01
Ubuntu	USN-1984-1	2013-10-01
Ubuntu	USN-1985-1	2013-10-01

(Log in to post comments)

bzr: denial of service

Posted Jun 17, 2013 11:03 UTC (Mon) by nix (subscriber, #2304) [Link]

The question is... if this was a bzr bug, could you *tell* if it bit you? It still takes unreasonably long to do all sorts of trivial operations with it, even when it's working properly...

bzr: denial of service

Posted Jun 17, 2013 23:31 UTC (Mon) by mathstuf (subscriber, #69389) [Link]

If you're familiar with git, probably not. If you're used to waiting for svn and cvs, bzr is probably a vast improvement. Personally, I've even gotten to the point where hg is way to slow for normal usage.