[Python-checkins] cpython (merge 2.6 -> 2.7): Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV
antoine.pitrou
python-checkins at python.org
Fri Jan 27 09:49:22 CET 2012
http://hg.python.org/cpython/rev/8dec547c23d3
changeset: 74646:8dec547c23d3
branch: 2.7
parent: 74637:f18662285248
parent: 74645:9a4131ada792
user: Antoine Pitrou <solipsis at pitrou.net>
date: Fri Jan 27 09:44:08 2012 +0100
summary:
Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
files:
Misc/NEWS | 3 +++
Modules/_ssl.c | 3 ++-
2 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -90,6 +90,9 @@
Library
-------
+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+ IV attack countermeasure.
+
- Issue #6631: Disallow relative file paths in urllib urlopen methods.
- Issue #13781: Prevent gzip.GzipFile from using the dummy filename provided by
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -369,7 +369,8 @@
}
/* ssl compatibility */
- SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+ SSL_CTX_set_options(self->ctx,
+ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
verification_mode = SSL_VERIFY_NONE;
if (certreq == PY_SSL_CERT_OPTIONAL)
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list