Python : Incorrect hostname verification

The HTTP clients in the httplib, urllib, urllib2, and xmlrpclib libraries in Python 2.x before 2.7.9 and 3.x before 3.4.3, when accessing a HTTPS URL, do not check the certificate against a trust store or verify that the server hostname matches a domain name in the subject’s Common Name or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate

The ssl.match_hostname function in Python before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.

In Django, you must correctly set the ALLOWED_HOSTS parameter when DEBUG = False. Django checks the host headers on the ALLOWED_HOSTS setting in the django.http.HttpRequest.get_host() method. This security mechanism does not allow attackers to poison the cache or emails with links to malicious hosts by sending requests with a fake HTTP Host header, which is possible even with many seemingly secure web server configurations.