Hi,
OpenSSL released 1.1.1k today with two high severity CVEs,
https://www.openssl.org/news/vulnerabilities.html
The ssl module is not affected by CVE-2021-3450 in its default
configuration. Python does not set X509_V_FLAG_X509_STRICT on
SSLContext. Only applications that that use ssl.VERIFY_X509_STRICT
verify flag are affected.
It looks like Python's ssl module is vulnerable to CVE-2021-3449. The
crash does not affect pip, requests, or any other client-side socket.
Only server-side SSL/TLS sockets are vulnerable (ssl.PROTOCOL_TLS_SERVER
and server_side=True).
I haven't had time to reproduce and verify any of the CVE bugs yet. That
means I'm not entirely sure how the CVEs affect CPython. I strongly
recommend that you update OpenSSL through your vendor and restart your
services. If you cannot update OpenSSL (e.g. for Python.org installers),
then you can apply workarounds:
To disable X509_V_FLAG_X509_STRICT flag either remove any lines that set
the flag or unset the flag with:
ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT
(That's bitwise AND and unary bitwise invert operator)
To work around CVE-2021-3449 either set disable TLS 1.0, 1,1, and 1.2 with
ctx.minimum_version = ssl.TLSVersion.TLSv1_3
or disable renegotiation with
ctx.options |= ssl.OP_NO_RENEGOTIATION
NOTE: Renegotiation is required for TLS 1.2 rekeying, optional TLS
client cert authention with TLS 1.2 and possible other features. TLS 1.3
is not supported by older clients and servers.
Christian
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/2GULUR43MNEW3IJM44LS5ZY2TOUANPNT/
Code of Conduct: http://python.org/psf/codeofconduct/
