There is a buffer over-read defect in CPython 3.9 and earlier due to not
excluding an invalid value for OpenSSL's NPN APIs.
This vulnerability is of severity *LOW*.
CPython doesn't disallow configuring an empty list ("[]") for
SSLContext.set_npn_protocols() which is an invalid value for the underlying
OpenSSL API. This results in a buffer over-read when NPN is used (see CVE
-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN
being not widely used and specifying an empty list likely being uncommon
in-practice (typically a protocol name would be configured).
Suggested mitigation is one of the following:
* Upgrade to Python 3.10 or later where NPN isn't supported
* Avoid using NPN via SSLContext.set_npn_protocols()
* Avoid providing an empty list as a parameter to
SSLContext.set_npn_protocols()
_______________________________________________
Security-announce mailing list -- security-annou...@python.org
To unsubscribe send an email to security-announce-le...@python.org
https://mail.python.org/mailman3/lists/security-announce.python.org/
Member address: arch...@mail-archive.com
