[Python-checkins] cpython (merge 3.1 -> 3.2): Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV
antoine.pitrou
python-checkins at python.org
Fri Jan 27 09:57:49 CET 2012
http://hg.python.org/cpython/rev/4386686a035d
changeset: 74648:4386686a035d
branch: 3.2
parent: 74639:90368391f0f9
parent: 74647:e7706bdaaa0d
user: Antoine Pitrou <solipsis at pitrou.net>
date: Fri Jan 27 09:50:45 2012 +0100
summary:
Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
files:
Misc/NEWS | 3 +++
Modules/_ssl.c | 6 ++++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -111,6 +111,9 @@
Library
-------
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+ IV attack countermeasure.
+
- Issue #13772: In os.symlink() under Windows, do not try to guess the link
target's type (file or directory). The detection was buggy and made the
call non-atomic (therefore prone to race conditions).
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1481,7 +1481,8 @@
self->ctx = ctx;
/* Defaults */
SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL);
- SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+ SSL_CTX_set_options(self->ctx,
+ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
@@ -2143,7 +2144,8 @@
PY_SSL_VERSION_TLS1);
/* protocol options */
- PyModule_AddIntConstant(m, "OP_ALL", SSL_OP_ALL);
+ PyModule_AddIntConstant(m, "OP_ALL",
+ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
PyModule_AddIntConstant(m, "OP_NO_SSLv2", SSL_OP_NO_SSLv2);
PyModule_AddIntConstant(m, "OP_NO_SSLv3", SSL_OP_NO_SSLv3);
PyModule_AddIntConstant(m, "OP_NO_TLSv1", SSL_OP_NO_TLSv1);
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list