FYI - there is a network exploitable vulnerability in OpenSSL -
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110
Our windows builds likely need updating. At the very least make sure
openssl is updated before the next time we produce binaries. Its up to the
release managers if they wa
2012/4/23 Gregory P. Smith
> FYI - there is a network exploitable vulnerability in OpenSSL -
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110
>
> Our windows builds likely need updating. At the very least make sure
> openssl is updated before the next time we produce binaries. Its
I don't see any occurrence of these functions in the various versions of
the _ssl module.
Is Python really affected by this vulnerability?
We use SSL_CTX_use_certificate_chain_file, which ultimately uses
d2i_X509_AUX_fp (I think).
However, I fail to see how this constitutes are remote vulnerabi
Le lundi 23 avril 2012 à 23:42 +0200, [email protected] a écrit :
> > I don't see any occurrence of these functions in the various versions of
> > the _ssl module.
> > Is Python really affected by this vulnerability?
>
> We use SSL_CTX_use_certificate_chain_file, which ultimately uses
> d2i_X509_
On Apr 23, 2012, at 5:48 PM, Antoine Pitrou wrote:
>> [mvl]
>> So I propose that for the regular bugfix releases, we upgrade the OpenSSL
>> version, but otherwise take no action at this point.
>
> Agreed.
With two such august opinions I, at least, feel confident we are unlikely to
have to scra
On Mon, Apr 23, 2012 at 2:42 PM, wrote:
> I don't see any occurrence of these functions in the various versions of
>> the _ssl module.
>> Is Python really affected by this vulnerability?
>>
>
> We use SSL_CTX_use_certificate_chain_**file, which ultimately uses
> d2i_X509_AUX_fp (I think).
>
> Ho
