You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenSSL prior to 3.3.2 had a defect in SSL_select_next_proto where invalid values (such as an empty list) would cause a buffer overread (see CVE-2024-5535). The issue can be fixed in CPython by not calling SSL_select_next_proto with an invalid value.
This is a low severity vulnerability in CPython and is tracked separately in CVE-2024-5642. CPython 3.10 and beyond removed support for NPN and thus aren't affected by this issue.
CPython versions tested on:
3.8, 3.9
Operating systems tested on:
No response
The text was updated successfully, but these errors were encountered:
Bug report
Bug description:
OpenSSL prior to 3.3.2 had a defect in
SSL_select_next_proto
where invalid values (such as an empty list) would cause a buffer overread (see CVE-2024-5535). The issue can be fixed in CPython by not callingSSL_select_next_proto
with an invalid value.This is a low severity vulnerability in CPython and is tracked separately in CVE-2024-5642. CPython 3.10 and beyond removed support for NPN and thus aren't affected by this issue.
CPython versions tested on:
3.8, 3.9
Operating systems tested on:
No response
The text was updated successfully, but these errors were encountered: