OpenSSL 1.1.1k CVE fixes
Hi, OpenSSL released 1.1.1k today with two high severity CVEs, https://www.openssl.org/news/vulnerabilities.html The ssl module is not affected by CVE-2021-3450 in its default configuration. Python does not set X509_V_FLAG_X509_STRICT on SSLContext. Only applications that that use ssl.VERIFY_X509_STRICT verify flag are affected. It looks like Python's ssl module is vulnerable to CVE-2021-3449. The crash does not affect pip, requests, or any other client-side socket. Only server-side SSL/TLS sockets are vulnerable (ssl.PROTOCOL_TLS_SERVER and server_side=True). I haven't had time to reproduce and verify any of the CVE bugs yet. That means I'm not entirely sure how the CVEs affect CPython. I strongly recommend that you update OpenSSL through your vendor and restart your services. If you cannot update OpenSSL (e.g. for Python.org installers), then you can apply workarounds: To disable X509_V_FLAG_X509_STRICT flag either remove any lines that set the flag or unset the flag with: ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT (That's bitwise AND and unary bitwise invert operator) To work around CVE-2021-3449 either set disable TLS 1.0, 1,1, and 1.2 with ctx.minimum_version = ssl.TLSVersion.TLSv1_3 or disable renegotiation with ctx.options |= ssl.OP_NO_RENEGOTIATION NOTE: Renegotiation is required for TLS 1.2 rekeying, optional TLS client cert authention with TLS 1.2 and possible other features. TLS 1.3 is not supported by older clients and servers. Christian
participants (1)
-
Christian Heimes