Описание
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| pyopenssl | unfixed | package | ||
| pyopenssl | no-dsa | trixie | package | |
| pyopenssl | no-dsa | bookworm | package |
Примечания
https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424
https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 (26.0.0)
EPSS
Связанные уязвимости
(pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in ...)
A flaw was found in pyOpenSSL. The set_tlsext_servername_callback callback function can be used to implement Server Name Indication (SNI) during the TLS handshake. When the callback raises an unhandled exception, the handshake incorrectly proceeds instead of terminating. This fail-open behavior can allow an attacker to bypass SNI-based security controls and access restricted endpoints.
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback
EPSS