CVE-2013-7440

Name	CVE-2013-7440
Description	The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python2.7 (PTS)	buster	2.7.16-2+deb10u1	fixed
	buster (security)	2.7.16-2+deb10u4	fixed
	bullseye	2.7.18-8+deb11u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
python2.5	source	(unstable)	(unfixed)
python2.6	source	(unstable)	(unfixed)
python2.7	source	(unstable)	2.7.9-1
python3.1	source	(unstable)	(unfixed)
python3.2	source	(unstable)	(unfixed)
python3.3	source	(unstable)	3.3.3-1
python3.4	source	(unstable)	3.4~b1-4

Notes

[wheezy] - python3.2 <no-dsa> (Minor issue, too intrusive to backport)
[squeeze] - python3.1 <no-dsa> (Minor issue)
[wheezy] - python2.7 <no-dsa> (Minor issue, too intrusive to backport)
[wheezy] - python2.6 <no-dsa> (Minor issue, too intrusive to backport)
[squeeze] - python2.6 <no-dsa> (Minor issue)
[squeeze] - python2.5 <no-dsa> (Minor issue)
https://bugs.python.org/issue17997#msg194950
https://hg.python.org/cpython/rev/10d0edadbcdd
The CVE is only about refusing multiple wildcards. Backporting that part only is not so difficult.