Le lundi 23 avril 2012 à 23:42 +0200, mar...@v.loewis.de a écrit : > > I don't see any occurrence of these functions in the various versions of > > the _ssl module. > > Is Python really affected by this vulnerability? > > We use SSL_CTX_use_certificate_chain_file, which ultimately uses > d2i_X509_AUX_fp (I think). > > However, I fail to see how this constitutes are remote vulnerability: > one would have to inject a bad PEM file into an application to trigger > this. > > http://isc.sans.edu/diary.html?storyid=13018 > > claims that this is *not* exploitable over TLS (and I agree); they > warn that it can be exploited e.g. when Apache reads server certificates > from untrusted users. Even in the local case, you need a Python application > running under one account that reads certificate files belonging to > a different (Unix) account to create an exploit. > > So I propose that for the regular bugfix releases, we upgrade the OpenSSL > version, but otherwise take no action at this point.
Agreed. Regards Antoine. _______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
