From bfe36ec1f580248d5e718667c204974275f8974a Mon Sep 17 00:00:00 2001
From: Georg Brandl <georg@python.org>
Date: Sun, 12 May 2013 12:28:20 +0200
Subject: [PATCH 1/3] Bump to version 3.2.5.

---
 Include/patchlevel.h      | 4 ++--
 Lib/distutils/__init__.py | 2 +-
 Lib/idlelib/idlever.py    | 2 +-
 Misc/NEWS                 | 2 +-
 Misc/RPM/python-3.2.spec  | 2 +-
 README                    | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Include/patchlevel.h b/Include/patchlevel.h
index b9f79a37c9a..4ba3b067470 100644
--- a/Include/patchlevel.h
+++ b/Include/patchlevel.h
@@ -18,12 +18,12 @@
 /*--start constants--*/
 #define PY_MAJOR_VERSION	3
 #define PY_MINOR_VERSION	2
-#define PY_MICRO_VERSION	4
+#define PY_MICRO_VERSION	5
 #define PY_RELEASE_LEVEL	PY_RELEASE_LEVEL_FINAL
 #define PY_RELEASE_SERIAL	0
 
 /* Version as a string */
-#define PY_VERSION      	"3.2.4"
+#define PY_VERSION      	"3.2.5"
 /*--end constants--*/
 
 /* Subversion Revision number of this file (not of the repository). Empty
diff --git a/Lib/distutils/__init__.py b/Lib/distutils/__init__.py
index b8f1c164c0f..f9016d6d174 100644
--- a/Lib/distutils/__init__.py
+++ b/Lib/distutils/__init__.py
@@ -13,5 +13,5 @@ used from a setup script as
 # Updated automatically by the Python release process.
 #
 #--start constants--
-__version__ = "3.2.4"
+__version__ = "3.2.5"
 #--end constants--
diff --git a/Lib/idlelib/idlever.py b/Lib/idlelib/idlever.py
index 671b2b8ae10..4a7c3362af9 100644
--- a/Lib/idlelib/idlever.py
+++ b/Lib/idlelib/idlever.py
@@ -1 +1 @@
-IDLE_VERSION = "3.2.4"
+IDLE_VERSION = "3.2.5"
diff --git a/Misc/NEWS b/Misc/NEWS
index 7308e72a835..0e945dd1175 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -1,4 +1,4 @@
-+++++++++++
+++++++++++
 Python News
 +++++++++++
 
diff --git a/Misc/RPM/python-3.2.spec b/Misc/RPM/python-3.2.spec
index 646d9d8ebe7..c93f6bf5139 100644
--- a/Misc/RPM/python-3.2.spec
+++ b/Misc/RPM/python-3.2.spec
@@ -39,7 +39,7 @@
 
 %define name python
 #--start constants--
-%define version 3.2.4
+%define version 3.2.5
 %define libvers 3.2
 #--end constants--
 %define release 1pydotorg
diff --git a/README b/README
index 78f40beac3e..6d8e18c9184 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-This is Python version 3.2.4
+This is Python version 3.2.5
 ============================
 
 Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011,

From 8833c3bcd17f7a16688bfaa8d4776318e85e64d4 Mon Sep 17 00:00:00 2001
From: Georg Brandl <georg@python.org>
Date: Sun, 12 May 2013 12:28:30 +0200
Subject: [PATCH 2/3] Added tag v3.2.5 for changeset cef745775b65

---
 .hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags b/.hgtags
index a9c7696e278..83c67ec624e 100644
--- a/.hgtags
+++ b/.hgtags
@@ -101,3 +101,4 @@ c860feaa348d663e598986894ee4680480577e15 v3.2.2rc1
 3d0686d90f55a78f96d9403da2c52dc2411419d0 v3.2.3
 b2cb7bc1edb8493c0a78f9331eae3e8fba6a881d v3.2.4rc1
 1e10bdeabe3de02f038a63c001911561ac1d13a7 v3.2.4
+cef745775b6583446572cffad704100983db2bea v3.2.5

From 86d53caddad11808ca332ab93ec35508b602a0dd Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Sat, 18 May 2013 17:56:42 +0200
Subject: [PATCH 3/3] Issue #17980: Fix possible abuse of ssl.match_hostname()
 for denial of service using certificates with many wildcards (CVE-2013-2099).

---
 Lib/ssl.py           |  9 ++++++++-
 Lib/test/test_ssl.py | 11 +++++++++++
 Misc/NEWS            |  3 +++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/Lib/ssl.py b/Lib/ssl.py
index e901b640a62..90c21ceff78 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -108,9 +108,16 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index d1cb3f1b84c..4d67fa1de4f 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -326,6 +326,17 @@ class BasicSocketTests(unittest.TestCase):
         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
 
+        # Issue #17980: avoid denials of service by refusing more than one
+        # wildcard per fragment.
+        cert = {'subject': ((('commonName', 'a*b.com'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+        with self.assertRaises(ssl.CertificateError) as cm:
+            ssl.match_hostname(cert, 'axxbxxc.com')
+        self.assertIn("too many wildcards", str(cm.exception))
+
     def test_server_side(self):
         # server_hostname doesn't work for server sockets
         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
diff --git a/Misc/NEWS b/Misc/NEWS
index 0e945dd1175..4be9e004212 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.2.5?
 Library
 -------
 
+- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of
+  service using certificates with many wildcards (CVE-2013-2099).
+
 - Issue #17192: Restore the patch for Issue #11729 and Issue #10309
   which were omitted in 3.2.4 when updating the bundled version of
   libffi used by ctypes.