[New-bugs-announce] [issue13885] CVE-2011-3389: _ssl module always disables the CBC IV attack countermeasure

Antoine Pitrou report at bugs.python.org
Fri Jan 27 09:25:53 CET 2012


New submission from Antoine Pitrou <pitrou at free.fr>:

Original e-mail from Apple security team:

> Follow-up:  187806281
> 
> SSL 3.0 and TLS 1.0 are vulnerable to an attack described at
> 
> http://www.openssl.org/~bodo/tls-cbc.txt
> 
> OpenSSL includes a countermeasure which prevents the attack, but python
> 2.7 has, around line 372 of Modules/_ssl.c:
> 
> SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
> 
> SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS which disables the 
> countermeasure.
> 
> 2.6 is similar.

----------
components: Extension Modules
messages: 152068
nosy: barry, benjamin.peterson, loewis, pitrou
priority: critical
severity: normal
stage: commit review
status: open
title: CVE-2011-3389: _ssl module always disables the CBC IV attack countermeasure
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13885>
_______________________________________


More information about the New-bugs-announce mailing list