msg194944 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-12 11:32 |
Ryan Sleevi of the Google Chrome Security Team has informed us that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. It's related to Ruby's CVE-2013-4073 http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
Although Python uses a slightly different OpenSSL API to parse a X.509 certificate and turn its fields into a dictionary, our implementation eventually uses an OpenSSL function that fails to handle NULL bytes. This could lead to a breach when an application uses ssl.match_hostname() to match the hostname againt the certificate's subjectAltName's dNSName general names.
When the Ruby issues was announced publicly I already suspected that our code may suffer from the same issue. But I was unable to generate a X.509 certificate with a NULL byte in its X509v3 subjectAltName extension, only in subject and issuer. OpenSSL's config file format just didn't support NULL bytes. But Our code handled the NULL byte in subject in issuer just fine so I gave up. In the light of the bug report I went a different path and eventually I came up with a malicious certificate that showed the reported bug.
|
msg194945 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-12 11:34 |
Demo certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, OU=Python Core Development, CN=null.python.org\x00example.org/emailAddress=python-dev@python.org
Validity
Not Before: Aug 7 13:11:52 2013 GMT
Not After : Aug 7 13:12:52 2013 GMT
Subject: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, OU=Python Core Development, CN=null.python.org\x00example.org/emailAddress=python-dev@python.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:ea:ed:c9:fb:46:7d:6f:3b:76:80:dd:3a:f3:
03:94:0b:a7:a6:db:ec:1d:df:ff:23:74:08:9d:97:
16:3f:a3:a4:7b:3e:1b:0e:96:59:25:03:a7:26:e2:
88:a9:cf:79:cd:f7:04:56:b0:ab:79:32:6e:59:c1:
32:30:54:eb:58:a8:cb:91:f0:42:a5:64:27:cb:d4:
56:31:88:52:ad:cf:bd:7f:f0:06:64:1f:cc:27:b8:
a3:8b:8c:f3:d8:29:1f:25:0b:f5:46:06:1b:ca:02:
45:ad:7b:76:0a:9c:bf:bb:b9:ae:0d:16:ab:60:75:
ae:06:3e:9c:7c:31:dc:92:2f:29:1a:e0:4b:0c:91:
90:6c:e9:37:c5:90:d7:2a:d7:97:15:a3:80:8f:5d:
7b:49:8f:54:30:d4:97:2c:1c:5b:37:b5:ab:69:30:
68:43:d3:33:78:4b:02:60:f5:3c:44:80:a1:8f:e7:
f0:0f:d1:5e:87:9e:46:cf:62:fc:f9:bf:0c:65:12:
f1:93:c8:35:79:3f:c8:ec:ec:47:f5:ef:be:44:d5:
ae:82:1e:2d:9a:9f:98:5a:67:65:e1:74:70:7c:cb:
d3:c2:ce:0e:45:49:27:dc:e3:2d:d4:fb:48:0e:2f:
9e:77:b8:14:46:c0:c4:36:ca:02:ae:6a:91:8c:da:
2f:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
*************************************************************
WARNING: The values for DNS, email and URI are WRONG. OpenSSL
doesn't print the text after a NULL byte.
*************************************************************
DNS:altnull.python.org, email:null@python.org, URI:http://null.python.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1
Signature Algorithm: sha1WithRSAEncryption
ac:4f:45:ef:7d:49:a8:21:70:8e:88:59:3e:d4:36:42:70:f5:
a3:bd:8b:d7:a8:d0:58:f6:31:4a:b1:a4:a6:dd:6f:d9:e8:44:
3c:b6:0a:71:d6:7f:b1:08:61:9d:60:ce:75:cf:77:0c:d2:37:
86:02:8d:5e:5d:f9:0f:71:b4:16:a8:c1:3d:23:1c:f1:11:b3:
56:6e:ca:d0:8d:34:94:e6:87:2a:99:f2:ae:ae:cc:c2:e8:86:
de:08:a8:7f:c5:05:fa:6f:81:a7:82:e6:d0:53:9d:34:f4:ac:
3e:40:fe:89:57:7a:29:a4:91:7e:0b:c6:51:31:e5:10:2f:a4:
60:76:cd:95:51:1a:be:8b:a1:b0:fd:ad:52:bd:d7:1b:87:60:
d2:31:c7:17:c4:18:4f:2d:08:25:a3:a7:4f:b7:92:ca:e2:f5:
25:f1:54:75:81:9d:b3:3d:61:a2:f7:da:ed:e1:c6:6f:2c:60:
1f:d8:6f:c5:92:05:ab:c9:09:62:49:a9:14:ad:55:11:cc:d6:
4a:19:94:99:97:37:1d:81:5f:8b:cf:a3:a8:96:44:51:08:3d:
0b:05:65:12:eb:b6:70:80:88:48:72:4f:c6:c2:da:cf:cd:8e:
5b:ba:97:2f:60:b4:96:56:49:5e:3a:43:76:63:04:be:2a:f6:
c1:ca:a9:94
The correct values are:
(('DNS', 'altnull.python.org\x00example.com'),
('email', 'null@python.org\x00user@example.org'),
('URI', 'http://null.python.org\x00http://example.org'),
('IP Address', '192.0.2.1'),
('IP Address', '2001:DB8:0:0:0:0:0:1\n'))
|
msg194958 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2013-08-12 13:02 |
Does it really make sense to allow to open a certificate containing a NUL byte in its name? How does OpenSSL and other projects handle this case?
|
msg194959 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-12 13:14 |
OpenSSL's print() functions fail to handle the NULL byte in subjectAltName (SAN) general names as they use strlen() or printf() functions with "%s" format char. The subject and issuer elements with NULL bytes are handled correctly by OpenSSL.
wget and curl combine CN / SAN parsing and hostname matching in one function. Both report an error when they see a NULL byte in a dNSName (strlen(dNSName) != lengtt of ASN1_STRING).
Python has separate functions for retrieving the X.509 information and matching a hostname against CN / SAN. I like to keep it that way and just for our parsing code in this bug. Latter ssl.match_hostname() can check for NULL bytes and raise an exception, but that's a different issue.
|
msg195043 - (view) |
Author: Arun Babu Neelicattu (abn) * |
Date: 2013-08-13 03:05 |
This issue has been assigned CVE-2013-4238 [1].
Please use CVE-2013-4238 for this issue in Python for patches and references.
[1] http://www.openwall.com/lists/oss-security/2013/08/13/2
|
msg195056 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-13 08:56 |
Thanks! The title now references the new CVE #.
|
msg195069 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-13 12:10 |
Python 3.1 is affected, too. 3.1 will recieve security fixes until June 2014.
|
msg195307 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-16 00:37 |
Brian Cameron from Oracle has requested a fix for Python 2.6. I have attached a patch for 2.6. In order to compile and test the patch I had to modify _ssl.c to handle OPENSSL_NO_SSL2. I also copied keycert.pem from 2.7 to fix two test failures. The former keycert.pem has expired.
It's a bit of a challenge to compile Python 2.6 on modern Linux OS. I had to set a couple of flags and overwrite MACHDEP:
export arch=$(dpkg-architecture -qDEB_HOST_MULTIARCH)
export LDFLAGS="-L/usr/lib/$arch -L/lib/$arch"
export CFLAGS="-I/usr/include/$arch"
export CPPFLAGS="-I/usr/include/$arch"
./configure --config-cache --with-pydebug
make -j4 MACHDEP=linux2
|
msg195347 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-16 16:03 |
For the record PHP has assigned CVE-2013-4248 for the issue.
|
msg195438 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2013-08-16 23:11 |
New changeset c9f073e593b0 by Christian Heimes in branch '3.3':
Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/c9f073e593b0
New changeset 7a0f398d1a5c by Christian Heimes in branch 'default':
Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/7a0f398d1a5c
New changeset bd2360476bdb by Christian Heimes in branch '2.7':
Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/bd2360476bdb
|
msg195440 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-16 23:22 |
I have applied the patch to 2.7, 3.3 and 3.4.
Barry, Benjamin, Georg:
Are you going to apply the patches yourselves?
|
msg195992 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2013-08-23 17:38 |
New changeset 79007c4244d6 by Barry Warsaw in branch '2.6':
- Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/79007c4244d6
|
msg196113 - (view) |
Author: Charles-François Natali (neologix) * |
Date: 2013-08-25 08:21 |
The test is failing on Tiger buildbots:
"""
======================================================================
FAIL: test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/db3l/buildarea/3.x.bolen-tiger/build/Lib/test/test_ssl.py", line 230, in test_parse_cert_CVE_2013_4238
('IP Address', '2001:DB8:0:0:0:0:0:1\n'))
AssertionError: Tuples differ: (('DNS', 'altnull.python.org\x... != (('DNS', 'altnull.python.org\x...
First differing element 4:
('IP Address', '<invalid>')
('IP Address', '2001:DB8:0:0:0:0:0:1\n')
(('DNS', 'altnull.python.org\x00example.com'),
('email', 'null@python.org\x00user@example.org'),
('URI', 'http://null.python.org\x00http://example.org'),
('IP Address', '192.0.2.1'),
- ('IP Address', '<invalid>'))
+ ('IP Address', '2001:DB8:0:0:0:0:0:1\n'))
----------------------------------------------------------------------
"""
http://buildbot.python.org/all/builders/x86 Tiger 3.x/builds/6829/steps/test/logs/stdio
|
msg196121 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2013-08-25 12:15 |
New changeset 004743d210e4 by Christian Heimes in branch '3.3':
Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/004743d210e4
New changeset 577e9402cadd by Christian Heimes in branch 'default':
Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/577e9402cadd
New changeset 1cd24ea5abeb by Christian Heimes in branch '2.7':
Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/1cd24ea5abeb
New changeset 50803d881a92 by Christian Heimes in branch '2.6':
Issue #18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/50803d881a92
|
msg196122 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-25 12:16 |
Tiger has OpenSSL 0.9.7 which doesn't support IPv6 addresses. I have added a workaround.
|
msg196565 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-08-30 17:43 |
It's not fixed in 3.1 and 3.2 yet. Please re-open the issue. I can't do it because I'm not at home.
"Charles-François Natali" <report@bugs.python.org> schrieb:
>
>Changes by Charles-François Natali <cf.natali@gmail.com>:
>
>
>----------
>resolution: -> fixed
>stage: patch review -> committed/rejected
>status: open -> closed
>
>_______________________________________
>Python tracker <report@bugs.python.org>
><http://bugs.python.org/issue18709>
>_______________________________________
|
msg196566 - (view) |
Author: Charles-François Natali (neologix) * |
Date: 2013-08-30 17:44 |
Oops.
|
msg196776 - (view) |
Author: Matěj Stuchlík (sYnfo) |
Date: 2013-09-02 09:47 |
Doing 'valgrind --suppressions=valgrind-python.supp ./python Lib/tests/regrtest.py test_ssl.py' I'm getting
==11944== LEAK SUMMARY:
==11944== definitely lost: 32 bytes in 1 blocks
==11944== indirectly lost: 392 bytes in 16 blocks
==11944== possibly lost: 27,008 bytes in 58 blocks
==11944== still reachable: 4,267,092 bytes in 4,124 blocks
==11944== suppressed: 32 bytes in 1 blocks
and as far as I can tell the leak is introduced by this patch, I can't seem to figure out what could be causing it though.
|
msg196777 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-09-02 10:51 |
I can't reproduce the memory leak. valgrind's output doesn't show suspicious memory leaks.
./configure --with-pydebug --config-cache
valgrind --suppressions=Misc/valgrind-python.supp ./python Lib/test/test_ssl.py
Python 3.4 tip
--------------
==26085== HEAP SUMMARY:
==26085== in use at exit: 1,286,703 bytes in 3,778 blocks
==26085== total heap usage: 210,241 allocs, 206,463 frees, 62,923,839 bytes allocated
==26085==
==26085== LEAK SUMMARY:
==26085== definitely lost: 0 bytes in 0 blocks
==26085== indirectly lost: 0 bytes in 0 blocks
==26085== possibly lost: 1,148,038 bytes in 555 blocks
==26085== still reachable: 138,665 bytes in 3,223 blocks
==26085== suppressed: 0 bytes in 0 blocks
Python 3.4.0a1 (without patch)
------------------------------
==32513== HEAP SUMMARY:
==32513== in use at exit: 1,708,298 bytes in 4,120 blocks
==32513== total heap usage: 237,965 allocs, 233,845 frees, 94,637,130 bytes allocated
==32513==
==32513== LEAK SUMMARY:
==32513== definitely lost: 0 bytes in 0 blocks
==32513== indirectly lost: 0 bytes in 0 blocks
==32513== possibly lost: 1,568,077 bytes in 893 blocks
==32513== still reachable: 140,221 bytes in 3,227 blocks
==32513== suppressed: 0 bytes in 0 blocks
==32513== Rerun with --leak-check=full to see details of leaked memory
Python 2.7 tip
--------------
==3184== HEAP SUMMARY:
==3184== in use at exit: 6,411,895 bytes in 4,757 blocks
==3184== total heap usage: 16,245 allocs, 11,488 frees, 32,948,412 bytes allocated
==3184==
==3184== LEAK SUMMARY:
==3184== definitely lost: 0 bytes in 0 blocks
==3184== indirectly lost: 0 bytes in 0 blocks
==3184== possibly lost: 1,823,596 bytes in 1,505 blocks
==3184== still reachable: 4,588,299 bytes in 3,252 blocks
==3184== suppressed: 0 bytes in 0 blocks
|
msg196779 - (view) |
Author: Matěj Stuchlík (sYnfo) |
Date: 2013-09-02 11:38 |
Oh, I only checked the particular commit that fixed this issue in 2.6 (50803d881a92). I am not getting any leaks in 2.6 tip either, so I guess it was fixed somewhere along the way.
Sorry for the confusion!
|
msg196999 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2013-09-05 14:06 |
New changeset 90040e560527 by Christian Heimes in branch '3.3':
Issue #18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/90040e560527
New changeset 4e93f32176fb by Christian Heimes in branch 'default':
Issue #18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/4e93f32176fb
New changeset 07ee48ce4513 by Christian Heimes in branch '2.6':
Issue #18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/07ee48ce4513
New changeset a7d5b86ffb95 by Christian Heimes in branch '2.7':
Issue #18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/a7d5b86ffb95
|
msg197692 - (view) |
Author: Georg Brandl (georg.brandl) * |
Date: 2013-09-14 07:16 |
Christian, is the -py32 patch still up to date?
|
msg197793 - (view) |
Author: Barry A. Warsaw (barry) * |
Date: 2013-09-15 17:00 |
I'm removing 2.6 from the Versions field since AFAIK we've resolved this issue for 2.6. This way it'll be easier to scan the blockers for 2.6.9.
If anyone things we still have things to address for this issue in 2.6.9, please reassign it or follow up.
|
msg200343 - (view) |
Author: Larry Hastings (larry) * |
Date: 2013-10-19 01:17 |
So, this is fixed, but there's some suspicion of a memory leak?
If that's true, maybe we could mark this as closed then open a new
bug for the leak? This shows up as a big scary "release blocker"
against 3.4, and I'm like making releases and stuff.
|
msg200377 - (view) |
Author: Matěj Stuchlík (sYnfo) |
Date: 2013-10-19 06:36 |
There's no longer any suspicion, no, at least from my side.
|
msg200395 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-10-19 10:17 |
I don't get it. Has somebody found a memory leak in my patch?
Larry, I have removed 2.7, 3.3 and 3.4 from the affected versions. They fix has already landed. 3.1 and 3.2 are still open, though.
Georg, the patch for 3.2 is still up to date. Are you going to commit it?
|
msg203168 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-11-17 14:22 |
The patch hasn't been committed to 3.2 yet.
|
msg214973 - (view) |
Author: Éric Araujo (eric.araujo) * |
Date: 2014-03-27 17:34 |
Not sure if 3.2 is still open to security fixes.
|
msg227894 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2014-09-30 12:47 |
New changeset 386b0f478117 by Georg Brandl in branch '3.2':
Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
https://hg.python.org/cpython/rev/386b0f478117
|
msg323510 - (view) |
Author: Anuj (Anuj) |
Date: 2018-08-14 12:22 |
Do we have patch for 3.1 version, or 3.2 patch will be also OK?
|
msg323514 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2018-08-14 12:45 |
These Python versions no longer receive security updates. Please update.
|
|
Date |
User |
Action |
Args |
2022-04-11 14:57:49 | admin | set | github: 62909 |
2018-08-14 12:45:53 | christian.heimes | set | messages:
+ msg323514 |
2018-08-14 12:22:27 | Anuj | set | nosy:
+ Anuj messages:
+ msg323510
|
2014-09-30 12:47:58 | georg.brandl | set | status: open -> closed |
2014-09-30 12:47:30 | python-dev | set | messages:
+ msg227894 |
2014-03-27 17:34:19 | eric.araujo | set | nosy:
+ eric.araujo messages:
+ msg214973
|
2013-11-17 14:22:18 | christian.heimes | set | assignee: georg.brandl messages:
+ msg203168 versions:
- Python 3.1 |
2013-10-19 10:17:50 | christian.heimes | set | messages:
+ msg200395 versions:
- Python 2.7, Python 3.3, Python 3.4 |
2013-10-19 06:36:41 | sYnfo | set | messages:
+ msg200377 |
2013-10-19 01:17:53 | larry | set | messages:
+ msg200343 |
2013-09-15 17:00:42 | barry | set | messages:
+ msg197793 versions:
- Python 2.6 |
2013-09-14 13:38:15 | neologix | set | nosy:
- neologix
|
2013-09-14 07:16:03 | georg.brandl | set | priority: critical -> release blocker nosy:
+ larry messages:
+ msg197692
|
2013-09-05 14:06:59 | python-dev | set | messages:
+ msg196999 |
2013-09-03 17:00:12 | Arfrever | set | title: SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238) -> SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238) |
2013-09-02 11:38:34 | sYnfo | set | messages:
+ msg196779 |
2013-09-02 10:51:30 | christian.heimes | set | messages:
+ msg196777 |
2013-09-02 09:47:15 | sYnfo | set | nosy:
+ sYnfo messages:
+ msg196776
|
2013-08-30 17:44:42 | neologix | set | status: closed -> open
messages:
+ msg196566 |
2013-08-30 17:43:31 | christian.heimes | set | messages:
+ msg196565 title: SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238) -> SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238) |
2013-08-30 17:33:51 | neologix | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
2013-08-25 12:16:16 | christian.heimes | set | messages:
+ msg196122 |
2013-08-25 12:15:06 | python-dev | set | messages:
+ msg196121 |
2013-08-25 09:04:27 | dstufft | set | nosy:
+ dstufft
|
2013-08-25 08:21:21 | neologix | set | nosy:
+ neologix messages:
+ msg196113
|
2013-08-23 17:38:48 | python-dev | set | messages:
+ msg195992 |
2013-08-16 23:25:16 | christian.heimes | set | files:
+ CVE-2013-4238-py32.patch |
2013-08-16 23:22:54 | christian.heimes | set | files:
+ CVE-2013-4238-py31.patch |
2013-08-16 23:22:25 | christian.heimes | set | nosy:
+ georg.brandl, benjamin.peterson messages:
+ msg195440
|
2013-08-16 23:11:12 | python-dev | set | nosy:
+ python-dev messages:
+ msg195438
|
2013-08-16 16:03:31 | christian.heimes | set | messages:
+ msg195347 |
2013-08-16 00:37:06 | christian.heimes | set | files:
+ CVE-2013-4073_py26.patch
messages:
+ msg195307 |
2013-08-13 12:10:09 | christian.heimes | set | messages:
+ msg195069 versions:
+ Python 3.1 |
2013-08-13 11:22:17 | Arfrever | set | nosy:
+ Arfrever
|
2013-08-13 08:56:55 | christian.heimes | set | messages:
+ msg195056 title: SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4073) -> SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238) |
2013-08-13 03:05:11 | abn | set | nosy:
+ abn messages:
+ msg195043
|
2013-08-12 13:14:14 | christian.heimes | set | messages:
+ msg194959 |
2013-08-12 13:08:07 | barry | set | nosy:
+ barry
|
2013-08-12 13:02:36 | vstinner | set | nosy:
+ vstinner messages:
+ msg194958
|
2013-08-12 11:35:06 | christian.heimes | set | files:
+ CVE-2013-4073_py27.patch |
2013-08-12 11:34:49 | christian.heimes | set | files:
+ CVE-2013-4073_py33.patch |
2013-08-12 11:34:31 | christian.heimes | set | files:
+ CVE-2013-4073_py34.patch keywords:
+ patch |
2013-08-12 11:34:13 | christian.heimes | set | files:
+ nullbytecert.pem
messages:
+ msg194945 |
2013-08-12 11:32:52 | christian.heimes | create | |