On Mon, Apr 23, 2012 at 2:42 PM, <martin@v.loewis.de> wrote:
I don't see any occurrence of these functions in the various versions of
the _ssl module. Is Python really affected by this vulnerability?
We use SSL_CTX_use_certificate_chain_**file, which ultimately uses d2i_X509_AUX_fp (I think).
However, I fail to see how this constitutes are remote vulnerability: one would have to inject a bad PEM file into an application to trigger this.
http://isc.sans.edu/diary.**html?storyid=13018<http://isc.sans.edu/diary.html?storyid=13018>
claims that this is *not* exploitable over TLS (and I agree); they warn that it can be exploited e.g. when Apache reads server certificates from untrusted users. Even in the local case, you need a Python application running under one account that reads certificate files belonging to a different (Unix) account to create an exploit.
So I propose that for the regular bugfix releases, we upgrade the OpenSSL version, but otherwise take no action at this point.
give that, agreed.