Created on 2012-01-27 08:25 by pitrou, last changed 2012-03-13 12:25 by thoger. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| CVE-2011-3389-2.7.patch | pitrou, 2012-01-27 08:34 | |||
| CVE-2011-3389-3.2.patch | pitrou, 2012-01-27 08:34 | |||
| Messages (7) | |||
|---|---|---|---|
| msg152068 - (view) | Author: Antoine Pitrou (pitrou) *  |
Date: 2012-01-27 08:25 | |
Original e-mail from Apple security team: > Follow-up: 187806281 > > SSL 3.0 and TLS 1.0 are vulnerable to an attack described at > > http://www.openssl.org/~bodo/tls-cbc.txt > > OpenSSL includes a countermeasure which prevents the attack, but python > 2.7 has, around line 372 of Modules/_ssl.c: > > SSL_CTX_set_options(self->ctx, SSL_OP_ALL); > > SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS which disables the > countermeasure. > > 2.6 is similar. |
|||
| msg152069 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2012-01-27 08:34 | |
Attaching patches. |
|||
| msg152071 - (view) | Author: Roundup Robot (python-dev) | Date: 2012-01-27 08:49 | |
New changeset 9a4131ada792 by Antoine Pitrou in branch '2.6': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/9a4131ada792 New changeset 8dec547c23d3 by Antoine Pitrou in branch '2.7': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/8dec547c23d3 |
|||
| msg152072 - (view) | Author: Roundup Robot (python-dev) | Date: 2012-01-27 08:57 | |
New changeset e7706bdaaa0d by Antoine Pitrou in branch '3.1': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/e7706bdaaa0d New changeset 4386686a035d by Antoine Pitrou in branch '3.2': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/4386686a035d New changeset d1390175fdc6 by Antoine Pitrou in branch 'default': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/d1390175fdc6 |
|||
| msg152073 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2012-01-27 08:58 | |
This hopefully fixes the issue. |
|||
| msg152093 - (view) | Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2012-01-27 13:06 | |
Thank you for handling this, Antoine! |
|||
| msg155599 - (view) | Author: Tomas Hoger (thoger) | Date: 2012-03-13 12:25 | |
Is the final patch going to enable empty fragments unconditionally and will ofter no way to disable them? curl did that recently and ended up adding option to allow users to disable empty fragments when they break compatibility: http://curl.haxx.se/docs/adv_20120124B.html http://thread.gmane.org/gmane.comp.web.curl.library/34659 http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLOPTIONS http://curl.haxx.se/docs/manpage.html#--ssl-allow-beast |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2012-03-13 12:25:51 | thoger | set | nosy:
+ thoger messages: + msg155599 |
| 2012-02-01 20:08:36 | jcea | set | nosy:
+ jcea |
| 2012-01-27 13:06:14 | benjamin.peterson | set | messages: + msg152093 |
| 2012-01-27 08:58:46 | pitrou | set | status: open -> closed resolution: fixed messages: + msg152073 stage: commit review -> resolved |
| 2012-01-27 08:57:49 | python-dev | set | messages: + msg152072 |
| 2012-01-27 08:49:22 | python-dev | set | nosy:
+ python-dev messages: + msg152071 |
| 2012-01-27 08:34:21 | pitrou | set | files:
+ CVE-2011-3389-3.2.patch messages: + msg152069 |
| 2012-01-27 08:34:03 | pitrou | set | files:
+ CVE-2011-3389-2.7.patch keywords: + patch |
| 2012-01-27 08:25:53 | pitrou | create | |