Note that in versions of Python that still had NPN support, whether NPN support
is built depends on which SSL library/version you build with:
https://github.com/python/cpython/blob/3.9/Modules/_ssl.c#L188-L202
-------- Forwarded Message --------
Subject: [Security-announce][CVE-2024-5642] Buffer over-read in
SSLContext.set_npn_protocols() for Python 3.9 and earlier
Date: Thu, 27 Jun 2024 16:09:13 -0500
From: Seth Larson <s...@python.org>
Reply-To: security-...@python.org
To: security-annou...@python.org
There is a buffer over-read defect in CPython 3.9 and earlier due to not
excluding an invalid value for OpenSSL's NPN APIs.
This vulnerability is of severity *LOW*.
CPython doesn't disallow configuring an empty list ("[]") for
SSLContext.set_npn_protocols() which is an invalid value for the underlying
OpenSSL API. This results in a buffer over-read when NPN is used (see
CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN
being not widely used and specifying an empty list likely being uncommon
in-practice (typically a protocol name would be configured).
Suggested mitigation is one of the following:
* Upgrade to Python 3.10 or later where NPN isn't supported
* Avoid using NPN via SSLContext.set_npn_protocols()
* Avoid providing an empty list as a parameter to SSLContext.set_npn_protocols()
_______________________________________________
Security-announce mailing list -- security-annou...@python.org
To unsubscribe send an email to security-announce-le...@python.org
https://mail.python.org/mailman3/lists/security-announce.python.org/
Member address: alan.coopersm...@oracle.com
