Hi, OpenSSL released 1.1.1k today with two high severity CVEs, https://www.openssl.org/news/vulnerabilities.html
The ssl module is not affected by CVE-2021-3450 in its default configuration. Python does not set X509_V_FLAG_X509_STRICT on SSLContext. Only applications that that use ssl.VERIFY_X509_STRICT verify flag are affected. It looks like Python's ssl module is vulnerable to CVE-2021-3449. The crash does not affect pip, requests, or any other client-side socket. Only server-side SSL/TLS sockets are vulnerable (ssl.PROTOCOL_TLS_SERVER and server_side=True). I haven't had time to reproduce and verify any of the CVE bugs yet. That means I'm not entirely sure how the CVEs affect CPython. I strongly recommend that you update OpenSSL through your vendor and restart your services. If you cannot update OpenSSL (e.g. for Python.org installers), then you can apply workarounds: To disable X509_V_FLAG_X509_STRICT flag either remove any lines that set the flag or unset the flag with: ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT (That's bitwise AND and unary bitwise invert operator) To work around CVE-2021-3449 either set disable TLS 1.0, 1,1, and 1.2 with ctx.minimum_version = ssl.TLSVersion.TLSv1_3 or disable renegotiation with ctx.options |= ssl.OP_NO_RENEGOTIATION NOTE: Renegotiation is required for TLS 1.2 rekeying, optional TLS client cert authention with TLS 1.2 and possible other features. TLS 1.3 is not supported by older clients and servers. Christian _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/2GULUR43MNEW3IJM44LS5ZY2TOUANPNT/ Code of Conduct: http://python.org/psf/codeofconduct/