[issue25672] Unconditionally set SSL_MODE_RELEASE_BUFFERS
Cory Benfield
report at bugs.python.org
Thu Nov 19 13:20:06 EST 2015
Cory Benfield added the comment:
Oh, one further requirement: we should *not* set this mode for OpenSSL releases 1.x through 1.0.1g, which have a NULL pointer dereference vulnerability (CVE 2014-0198). Thanks to Marc-Andre Lemburg for spotting this.
See also: https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2014-0198
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue25672>
_______________________________________
More information about the Python-bugs-list
mailing list