[python-committers] fyi - openssl vulnerability - likely in our windows builds
Antoine Pitrou
solipsis at pitrou.net
Mon Apr 23 23:48:32 CEST 2012
Le lundi 23 avril 2012 à 23:42 +0200, martin at v.loewis.de a écrit :
> > I don't see any occurrence of these functions in the various versions of
> > the _ssl module.
> > Is Python really affected by this vulnerability?
>
> We use SSL_CTX_use_certificate_chain_file, which ultimately uses
> d2i_X509_AUX_fp (I think).
>
> However, I fail to see how this constitutes are remote vulnerability:
> one would have to inject a bad PEM file into an application to trigger
> this.
>
> http://isc.sans.edu/diary.html?storyid=13018
>
> claims that this is *not* exploitable over TLS (and I agree); they
> warn that it can be exploited e.g. when Apache reads server certificates
> from untrusted users. Even in the local case, you need a Python application
> running under one account that reads certificate files belonging to
> a different (Unix) account to create an exploit.
>
> So I propose that for the regular bugfix releases, we upgrade the OpenSSL
> version, but otherwise take no action at this point.
Agreed.
Regards
Antoine.
More information about the python-committers
mailing list