[python-committers] fyi - openssl vulnerability - likely in our windows builds

martin at v.loewis.de martin at v.loewis.de
Mon Apr 23 23:42:11 CEST 2012

Previous message: [python-committers] fyi - openssl vulnerability - likely in our windows builds
Next message: [python-committers] fyi - openssl vulnerability - likely in our windows builds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I don't see any occurrence of these functions in the various versions of
> the _ssl module.
> Is Python really affected by this vulnerability?

We use SSL_CTX_use_certificate_chain_file, which ultimately uses
d2i_X509_AUX_fp (I think).

However, I fail to see how this constitutes are remote vulnerability:
one would have to inject a bad PEM file into an application to trigger
this.

http://isc.sans.edu/diary.html?storyid=13018

claims that this is *not* exploitable over TLS (and I agree); they
warn that it can be exploited e.g. when Apache reads server certificates
from untrusted users. Even in the local case, you need a Python application
running under one account that reads certificate files belonging to
a different (Unix) account to create an exploit.

So I propose that for the regular bugfix releases, we upgrade the OpenSSL
version, but otherwise take no action at this point.

Regards,
Martin

Previous message: [python-committers] fyi - openssl vulnerability - likely in our windows builds
Next message: [python-committers] fyi - openssl vulnerability - likely in our windows builds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the python-committers mailing list