I don't see any occurrence of these functions in the various versions of the _ssl module. Is Python really affected by this vulnerability?
We use SSL_CTX_use_certificate_chain_file, which ultimately uses d2i_X509_AUX_fp (I think). However, I fail to see how this constitutes are remote vulnerability: one would have to inject a bad PEM file into an application to trigger this. http://isc.sans.edu/diary.html?storyid=13018 claims that this is *not* exploitable over TLS (and I agree); they warn that it can be exploited e.g. when Apache reads server certificates from untrusted users. Even in the local case, you need a Python application running under one account that reads certificate files belonging to a different (Unix) account to create an exploit. So I propose that for the regular bugfix releases, we upgrade the OpenSSL version, but otherwise take no action at this point. Regards, Martin _______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
