subject:"\[issue25672\] set SSL_MODE_RELEASE

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2016-01-07 Thread Roundup Robot


Roundup Robot added the comment:

New changeset b5b0394ed20b by Benjamin Peterson in branch 'default':
merge 3.5 (closes #25672)
https://hg.python.org/cpython/rev/b5b0394ed20b

--
nosy: +python-dev
resolution:  -> fixed
stage: commit review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2016-01-06 Thread Marc-Andre Lemburg


Marc-Andre Lemburg added the comment:

Thanks, Brett. I'm too busy with other things at the moment.

--
assignee:  -> brett.cannon

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2016-01-06 Thread Brett Cannon


Brett Cannon added the comment:

I assume this can be checked in, MAL? If you need someone to do it for you, 
feel free to assign it to me and I can do it when I have a chance.

--
nosy: +brett.cannon
stage:  -> commit review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2015-11-20 Thread Marc-Andre Lemburg


Marc-Andre Lemburg added the comment:

On 20.11.2015 12:10, Cory Benfield wrote:
> Yeah, while generally speaking OpenSSL doesn't ship betas, it does provide 
> them as tarballs. I have a beta of 1.0.2 floating around somewhere on my 
> machine that I was using for ALPN testing back in 2014, and so I can speak 
> from personal experience and say that people do actually work with betas 
> sometimes. On this issue (defending ourselves from a CVE) my instinct is to 
> be conservative. However, we should allow later patch releases of OpenSSL 
> 1.0.0 to have this optimisation if they're safe.

Ah, right. For new major release versions such as 1.0.1 or 1.0.2
they do ship betas, but historically they have often introduced
new features in their abcde... level releases without doing
betas for those first - that's what I was thinking of :-)

> Therefore, I've uploaded a new patch that does allow for 1.0.0m and later to 
> use this optimisation too. It makes the conditional a little more complex, 
> but c'est la vie.

LGTM

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2015-11-20 Thread Cory Benfield


Cory Benfield added the comment:

Thanks for the updated info Marc-Andre.

Yeah, while generally speaking OpenSSL doesn't ship betas, it does provide them 
as tarballs. I have a beta of 1.0.2 floating around somewhere on my machine 
that I was using for ALPN testing back in 2014, and so I can speak from 
personal experience and say that people do actually work with betas sometimes. 
On this issue (defending ourselves from a CVE) my instinct is to be 
conservative. However, we should allow later patch releases of OpenSSL 1.0.0 to 
have this optimisation if they're safe.

Therefore, I've uploaded a new patch that does allow for 1.0.0m and later to 
use this optimisation too. It makes the conditional a little more complex, but 
c'est la vie.

--
Added file: http://bugs.python.org/file41094/ssl3.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2015-11-20 Thread Marc-Andre Lemburg


Marc-Andre Lemburg added the comment:

The release buffer mode bugs were fixed in 1.0.0m and 1.0.1h:

https://openssl.org/news/vulnerabilities.html#y2014

CVE-2014-0198 (OpenSSL advisory) 21st April 2014:
A flaw in the do_ssl3_write function can allow remote attackers to cause a 
denial of service via a NULL pointer dereference. This flaw only affects 
OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not 
the default and not common.

Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 
1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 
1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)

CVE-2010-5298 (OpenSSL advisory) 8th April 2014:
A race condition in the ssl3_read_bytes function can allow remote attackers 
to inject data across sessions or cause a denial of service. This flaw only 
affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where 
SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.

Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 
1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 
1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)

PS: OpenSSL normally doesn't issue betas. All their releases are final. The 
numbering scheme is a bit weird - perhaps they'll change to a more common one 
with 1.1 (this will have a beta cycle): 
https://openssl.org/policies/releasestrat.html

--
nosy: +lemburg

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2015-11-20 Thread Cory Benfield


Cory Benfield added the comment:

Good idea Benjamin. I've uploaded a second patch that adjusts the check to be a 
runtime one, rather than a compiled one.

--
Added file: http://bugs.python.org/file41091/ssl2.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2015-11-19 Thread Benjamin Peterson


Benjamin Peterson added the comment:

It might be better to do a runtime OpenSSL version check in case someone 
upgrades or downgrades to an vulnerable version without recompiling Python.

--
nosy: +benjamin.peterson

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2015-11-19 Thread Cory Benfield


Cory Benfield added the comment:

Ok, I've just uploaded an initial draft of the patch for review.

--
keywords: +patch
Added file: http://bugs.python.org/file41083/ssl.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

2015-11-19 Thread Ethan Furman


Changes by Ethan Furman :


--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
title: Unconditionally set SSL_MODE_RELEASE_BUFFERS -> set 
SSL_MODE_RELEASE_BUFFERS

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

[issue25672] set SSL_MODE_RELEASE_BUFFERS

10 matches

Site Navigation

Mail list logo

Footer information