Issue 13885: CVE-2011-3389: _ssl module always disables the CBC IV attack countermeasure

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/58093

classification

Title:	CVE-2011-3389: _ssl module always disables the CBC IV attack countermeasure
Type:	security	Stage:	resolved
Components:	Extension Modules	Versions:	Python 3.1, Python 3.2, Python 3.3, Python 2.7, Python 2.6

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	Nosy List:	barry, benjamin.peterson, jcea, loewis, pitrou, python-dev, thoger
Priority:	critical	Keywords:	patch

Created on 2012年01月27日 08:25 by pitrou, last changed 2022年04月11日 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
CVE-2011-3389-2.7.patch	pitrou, 2012年01月27日 08:34
CVE-2011-3389-3.2.patch	pitrou, 2012年01月27日 08:34

Messages (7)
msg152068 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2012年01月27日 08:25
Original e-mail from Apple security team: > Follow-up: 187806281 > > SSL 3.0 and TLS 1.0 are vulnerable to an attack described at > > http://www.openssl.org/~bodo/tls-cbc.txt > > OpenSSL includes a countermeasure which prevents the attack, but python > 2.7 has, around line 372 of Modules/_ssl.c: > > SSL_CTX_set_options(self->ctx, SSL_OP_ALL); > > SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS which disables the > countermeasure. > > 2.6 is similar.
msg152069 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2012年01月27日 08:34
Attaching patches.
msg152071 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2012年01月27日 08:49
New changeset 9a4131ada792 by Antoine Pitrou in branch '2.6': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/9a4131ada792 New changeset 8dec547c23d3 by Antoine Pitrou in branch '2.7': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/8dec547c23d3
msg152072 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2012年01月27日 08:57
New changeset e7706bdaaa0d by Antoine Pitrou in branch '3.1': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/e7706bdaaa0d New changeset 4386686a035d by Antoine Pitrou in branch '3.2': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/4386686a035d New changeset d1390175fdc6 by Antoine Pitrou in branch 'default': Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. http://hg.python.org/cpython/rev/d1390175fdc6
msg152073 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2012年01月27日 08:58
This hopefully fixes the issue.
msg152093 - (view)	Author: Benjamin Peterson (benjamin.peterson) * (Python committer)	Date: 2012年01月27日 13:06
Thank you for handling this, Antoine!
msg155599 - (view)	Author: Tomas Hoger (thoger)	Date: 2012年03月13日 12:25
Is the final patch going to enable empty fragments unconditionally and will ofter no way to disable them? curl did that recently and ended up adding option to allow users to disable empty fragments when they break compatibility: http://curl.haxx.se/docs/adv_20120124B.html http://thread.gmane.org/gmane.comp.web.curl.library/34659 http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLOPTIONS http://curl.haxx.se/docs/manpage.html#--ssl-allow-beast

History
Date	User	Action	Args
2022年04月11日 14:57:26	admin	set	github: 58093
2012年03月13日 12:25:51	thoger	set	nosy: + thoger messages: + msg155599
2012年02月01日 20:08:36	jcea	set	nosy: + jcea
2012年01月27日 13:06:14	benjamin.peterson	set	messages: + msg152093
2012年01月27日 08:58:46	pitrou	set	status: open -> closed resolution: fixed messages: + msg152073 stage: commit review -> resolved
2012年01月27日 08:57:49	python-dev	set	messages: + msg152072
2012年01月27日 08:49:22	python-dev	set	nosy: + python-dev messages: + msg152071
2012年01月27日 08:34:21	pitrou	set	files: + CVE-2011-3389-3.2.patch messages: + msg152069
2012年01月27日 08:34:03	pitrou	set	files: + CVE-2011-3389-2.7.patch keywords: + patch
2012年01月27日 08:25:53	pitrou	create

homepage