You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenSSL prior to 3.3.2 had a defect in SSL_select_next_proto where invalid values (such as an empty list) would cause a buffer overread (see CVE-2024-5535). The issue can be fixed in CPython by not calling SSL_select_next_proto with an invalid value.
This is a low severity vulnerability in CPython and is tracked separately in CVE-2024-5642. CPython 3.10 and beyond removed support for NPN and thus aren't affected by this issue.
CPython versions tested on:
3.8, 3.9
Operating systems tested on:
No response
The text was updated successfully, but these errors were encountered:
CPython 3.7 to 3.9 are only affected when using OpenSSL < 1.1.1, since CPython >= 3.7 did already drop NPN support with OpenSSL >= 1.1.1 (by accident? see 29eab55 and 9617741).
CPython 3.8 was released a year after OpenSSL 1.1.1, which makes it unlikely that the vulnerable combination of CPython >= 3.8 and OpenSSL < 1.1.1 would be common.
For Python3 < 3.7 in Debian ELTS I did the big hammer
-# define HAVE_NPN 1
+# define HAVE_NPN 0
which might also be a reasonable approach for you for the rare affected setups with 3.8 or 3.9?
Bug report
Bug description:
OpenSSL prior to 3.3.2 had a defect in
SSL_select_next_protowhere invalid values (such as an empty list) would cause a buffer overread (see CVE-2024-5535). The issue can be fixed in CPython by not callingSSL_select_next_protowith an invalid value.This is a low severity vulnerability in CPython and is tracked separately in CVE-2024-5642. CPython 3.10 and beyond removed support for NPN and thus aren't affected by this issue.
CPython versions tested on:
3.8, 3.9
Operating systems tested on:
No response
The text was updated successfully, but these errors were encountered: