[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow setting an empty list for NPN in CPython 3.9 and earlier #121227

Open
sethmlarson opened this issue Jul 1, 2024 · 0 comments
Open

Disallow setting an empty list for NPN in CPython 3.9 and earlier #121227

sethmlarson opened this issue Jul 1, 2024 · 0 comments
Labels
3.8 only security fixes 3.9 only security fixes type-security A security issue

Comments

@sethmlarson
Copy link
Contributor
sethmlarson commented Jul 1, 2024
edited by github-actions bot
Loading

Bug report

Bug description:

OpenSSL prior to 3.3.2 had a defect in SSL_select_next_proto where invalid values (such as an empty list) would cause a buffer overread (see CVE-2024-5535). The issue can be fixed in CPython by not calling SSL_select_next_proto with an invalid value.

This is a low severity vulnerability in CPython and is tracked separately in CVE-2024-5642. CPython 3.10 and beyond removed support for NPN and thus aren't affected by this issue.

CPython versions tested on:

3.8, 3.9

Operating systems tested on:

No response
@sethmlarson sethmlarson added type-bug An unexpected behavior, bug, or error type-security A security issue and removed type-bug An unexpected behavior, bug, or error labels Jul 1, 2024
@Eclips4 Eclips4 added 3.9 only security fixes 3.8 only security fixes labels Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.8 only security fixes 3.9 only security fixes type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sethmlarson @Eclips4