CVE-2013-4238

Name	CVE-2013-4238
Description	The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-25-1, DSA-2880-1, ELA-165-1
Debian Bugs	719566, 719567, 719568

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python2.7 (PTS)	jessie, jessie (lts)	2.7.9-2-ds1-1+deb8u12	fixed
	stretch (security)	2.7.13-2+deb9u6	fixed
	stretch (lts), stretch	2.7.13-2+deb9u9	fixed
	buster (security), buster, buster (lts)	2.7.16-2+deb10u4	fixed
	bullseye	2.7.18-8+deb11u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python2.5	source	(unstable)	(unfixed)	low
python2.6	source	squeeze	2.6.6-8+deb6u1		DLA-25-1
python2.6	source	wheezy	2.6.8-1.1+deb7u4		ELA-165-1
python2.6	source	(unstable)	(unfixed)	low
python2.7	source	wheezy	2.7.3-6+deb7u2		DSA-2880-1
python2.7	source	(unstable)	2.7.5-8	low		719566
python3.1	source	(unstable)	(unfixed)	low
python3.2	source	(unstable)	(unfixed)	low		719568
python3.3	source	(unstable)	3.3.2-6	low		719567

Notes

[squeeze] - python2.5 <no-dsa> (Minor issue)
[wheezy] - python2.6 <no-dsa> (Minor issue)
[squeeze] - python3.1 <no-dsa> (Minor issue)
[wheezy] - python3.2 <no-dsa> (Minor issue)
http://bugs.python.org/issue18709
https://bugs.mageia.org/show_bug.cgi?id=10989