CVE-2013-2099
bzr - security update
EPSS 3.0%
Description
Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.
How to fix CVE-2013-2099
To remediate CVE-2013-2099, upgrade the affected package to a fixed version below.
- Debian/bzr—upgrade to 2.6.0~bzr6574-1 or later
- Debian/bzr—upgrade to 2.6.0~bzr6526-1+deb7u1 or later
- —upgrade to 8.5-1 or later
- —upgrade to 2.7.5-5 or later
- —upgrade to 2.4.1-3 or later
- —upgrade to 1.6-2 or later
Is CVE-2013-2099 being exploited?
Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 2.6.0~bzr6574-1
- from 0, < 2.6.0~bzr6526-1+deb7u1
- from 0, < 8.5-1
- from 0, < 2.7.5-5
- from 0, < 2.4.1-3
- from 0, < 1.6-2