New submission from Antoine Pitrou <pit...@free.fr>: Original e-mail from Apple security team:
> Follow-up: 187806281 > > SSL 3.0 and TLS 1.0 are vulnerable to an attack described at > > http://www.openssl.org/~bodo/tls-cbc.txt > > OpenSSL includes a countermeasure which prevents the attack, but python > 2.7 has, around line 372 of Modules/_ssl.c: > > SSL_CTX_set_options(self->ctx, SSL_OP_ALL); > > SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS which disables the > countermeasure. > > 2.6 is similar. ---------- components: Extension Modules messages: 152068 nosy: barry, benjamin.peterson, loewis, pitrou priority: critical severity: normal stage: commit review status: open title: CVE-2011-3389: _ssl module always disables the CBC IV attack countermeasure type: security versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13885> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
