On Mon, Apr 23, 2012 at 2:42 PM, <mar...@v.loewis.de> wrote: > I don't see any occurrence of these functions in the various versions of >> the _ssl module. >> Is Python really affected by this vulnerability? >> > > We use SSL_CTX_use_certificate_chain_**file, which ultimately uses > d2i_X509_AUX_fp (I think). > > However, I fail to see how this constitutes are remote vulnerability: > one would have to inject a bad PEM file into an application to trigger > this. > > http://isc.sans.edu/diary.**html?storyid=13018<http://isc.sans.edu/diary.html?storyid=13018> > > claims that this is *not* exploitable over TLS (and I agree); they > warn that it can be exploited e.g. when Apache reads server certificates > from untrusted users. Even in the local case, you need a Python application > running under one account that reads certificate files belonging to > a different (Unix) account to create an exploit. > > So I propose that for the regular bugfix releases, we upgrade the OpenSSL > version, but otherwise take no action at this point. >
give that, agreed.
_______________________________________________ python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
