➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2018-03-25 09:19 bychristian.heimes, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 6229 | open | christian.heimes,2018-03-25 10:06 | |
| PR 6230 | merged | miss-islington,2018-03-25 10:37 | |
| Messages (5) | |||
|---|---|---|---|
| msg314400 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-03-25 09:19 | |
Since 3.7, the ssl module uses X509_VERIFY_PARAM_set1_host() to put the burden of hostname matching on OpenSSL. More specific, it calls X509_VERIFY_PARAM_set1_host(param, server_hostname, 0). The namelen=0 parameter means that OpenSSL handles server_hostname as a NUL-terminated C string.LibreSSL 2.7.0 added X509_VERIFY_PARAM_set1_host(), but took the implementation from BoringSSL instead of OpenSSL. The BoringSSL implementation doesn't support namelen=0. X509_VERIFY_PARAM_set1_host(param, server_hostname, 0) returns success but doesn't configure the SSL connection for hostname verification. As a result, LibreSSL 2.7.0 doesn't perform any hostname matching. All trusted certificates are accepted for just any arbitrary hostname. This misbehavior left Python 3.7 beta open to man-in-the-middle attack.LibreSSL 2.7.1 has fixed the issue. To harden the ssl module against, I'm also changing our implementation to use strlen() instead of 0.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8970https://bugs.chromium.org/p/boringssl/issues/detail?id=30https://bugs.chromium.org/p/chromium/issues/detail?id=824799 (restricted for now) | |||
| msg314402 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-03-25 10:36 | |
New changesetd02ac25ab0879f1a6de6937573bf00a16b7bd22e by Christian Heimes in branch 'master':bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229)https://github.com/python/cpython/commit/d02ac25ab0879f1a6de6937573bf00a16b7bd22e | |||
| msg314406 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2018-03-25 11:28 | |
New changeset2dd885eaa0d427e84892673c83d697bca5427c8b by Christian Heimes (Miss Islington (bot)) in branch '3.7':[3.7]bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229) (GH-6230)https://github.com/python/cpython/commit/2dd885eaa0d427e84892673c83d697bca5427c8b | |||
| msg364181 -(view) | Author: Ashwin Ramaswami (epicfaace)* | Date: 2020-03-14 15:06 | |
Can this be closed now? | |||
| msg388600 -(view) | Author: Gregory P. Smith (gregory.p.smith)* | Date: 2021-03-13 10:03 | |
yes, this was fixed. | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:59 | admin | set | github: 77317 |
| 2021-03-13 10:03:31 | gregory.p.smith | set | status: open -> closed nosy: +gregory.p.smith messages: +msg388600 resolution: fixed stage: patch review -> commit review |
| 2020-03-14 15:06:35 | epicfaace | set | nosy: +epicfaace messages: +msg364181 |
| 2018-03-25 11:28:22 | christian.heimes | set | messages: +msg314406 |
| 2018-03-25 10:37:32 | miss-islington | set | pull_requests: +pull_request5969 |
| 2018-03-25 10:36:16 | christian.heimes | set | messages: +msg314402 |
| 2018-03-25 10:06:47 | christian.heimes | set | keywords: +patch stage: needs patch -> patch review pull_requests: +pull_request5968 |
| 2018-03-25 09:19:22 | christian.heimes | create | |