Mailing List Archive: Python: Dev

OpenSSL vulnerability

Index | Next | Previous | View Threaded

theller at python

Sep 30, 2003, 9:29 AM

Post #1 of 12 (189 views)
Permalink

OpenSSL vulnerability

Is this enough reason to use OpenSSL version 0.9.7c instead of 0.9.7b
for the 2.3.2 final windows installer, or should the release candidate
remain unchanged?

<http://www.openssl.org/news/secadv_20030930.txt>

Thomas

_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev

skip at pobox

Sep 30, 2003, 9:58 AM

Post #2 of 12 (185 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

Thomas> Is this enough reason to use OpenSSL version 0.9.7c instead of
Thomas> 0.9.7b for the 2.3.2 final windows installer, or should the
Thomas> release candidate remain unchanged?

Thomas> <http://www.openssl.org/news/secadv_20030930.txt>

At this point I'm inclined to let it go. There are many other vulnerable
SS[.LH targets out there, and you can't wait forever until the OpenSS[LH]
folks stop emitting patches.

Skip

_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev

anthony at interlink

Sep 30, 2003, 10:12 AM

Post #3 of 12 (185 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

>>> Thomas Heller wrote
> Is this enough reason to use OpenSSL version 0.9.7c instead of 0.9.7b
> for the 2.3.2 final windows installer, or should the release candidate
> remain unchanged?
>
> <http://www.openssl.org/news/secadv_20030930.txt>

I'd say build with the patched libraries, but only if you can test them
before then. OTOH, most of the advisory seems to be about server-side
problems, and the inbuilt SSL stuff in python is client stuff.

go-not-to-australians-for-answers-for-they-will-answer-both-yes-and-no,
Anthony
--
Anthony Baxter <anthony[at]interlink.com.au>
It's never too late to have a happy childhood.

_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev

debatem1 at gmail

Nov 6, 2009, 1:15 PM

Post #4 of 12 (185 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

On Fri, Nov 6, 2009 at 3:22 PM, Guido van Rossum <guido[at]python.org> wrote:
> Now that a new SSL vulnerability is out
> (http://extendedsubset.com/?p=8) should we regenerate binary
> distributions that include copies of openssl (I think only the Windows
> MSIs) ?
>
> Does it affect any of our ssl APIs?
>
> --
> --Guido van Rossum (python.org/~guido)

The proposal on the table is to add a TLS extension that
takes care of the problem, leave clients unchanged, and
to stop servers from rehandshaking with clients that don't
support the extension. AFAICS, that's all supposed to be
handled by openssl. Certainly the EVP stuff won't need
to be modified.

The version of openssl being distributed should definitely
be brought up to 0.9.8l though.

Geremy Condra
_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

janssen at parc

Nov 6, 2009, 2:18 PM

Post #5 of 12 (185 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

Guido,

I'm working from <http://extendedsubset.com/Renegotiating_TLS.pdf>.

I believe geremy is right. The current SSL module does not expose much
of the SSL API, so servers implemented in Python, using it, should
(fortuituously) be immune to the some of the attacks outlined, simply
because there's no way to do an application-initiated renegotiation,
which the first two scenarios presuppose. On the other hand, there's no
way to do application-directed session resumption, either, which might
be a good add to support new or updated application protocols which
address this problem.

So I think there's not much we can do in Python source code to address
this, unless there's a switch we can throw in the existing OpenSSL API
to turn off renegotiation completely. I'll look, and I'll talk this
over with our security group. Building binaries with newer versions of
OpenSSL is pretty much always a good idea, it seems to me.

More generally, this is a nice description of how simply layering TLS
onto existing application protocols like HTTP doesn't always work very
well.

Bill
_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

exarkun at twistedmatrix

Nov 6, 2009, 2:36 PM

Post #6 of 12 (185 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

On 10:18 pm, janssen[at]parc.com wrote:
>Guido,
>
>I'm working from <http://extendedsubset.com/Renegotiating_TLS.pdf>.
>
>I believe geremy is right. The current SSL module does not expose much
>of the SSL API, so servers implemented in Python, using it, should
>(fortuituously) be immune to the some of the attacks outlined, simply
>because there's no way to do an application-initiated renegotiation,
>which the first two scenarios presuppose. On the other hand, there's
>no
>way to do application-directed session resumption, either, which might
>be a good add to support new or updated application protocols which
>address this problem.

Also, for Python 2.5 and earlier, any SSL-based code is vulnerable to a
MitM anyway, so this can only be an issue for code using the new APIs in
Python 2.6.

Jean-Paul
_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

guido at python

Nov 6, 2009, 3:12 PM

Post #7 of 12 (185 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

On Fri, Nov 6, 2009 at 2:36 PM, <exarkun[at]twistedmatrix.com> wrote:
> Also, for Python 2.5 and earlier, any SSL-based code is vulnerable to a MitM
> anyway, so this can only be an issue for code using the new APIs in Python
> 2.6.

That's not going to stop the
wannabe-self-proclaimed-so-called-vulnerability-"experts" from whining
about Python not releasing updated binary distributions though. :-(

--
--Guido van Rossum (python.org/~guido)
_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

martin at v

Nov 8, 2009, 10:56 AM

Post #8 of 12 (164 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

>> Also, for Python 2.5 and earlier, any SSL-based code is vulnerable to a MitM
>> anyway, so this can only be an issue for code using the new APIs in Python
>> 2.6.
>
> That's not going to stop the
> wannabe-self-proclaimed-so-called-vulnerability-"experts" from whining
> about Python not releasing updated binary distributions though. :-(

The Windows binaries currently build with 0.9.8g. Since changing that
would be a source code change (even though just a single line), I think
a full source release would be necessary (most likely then for both 2.6
and 3.1).

Regards,
Martin
_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

g.brandl at gmx

Nov 8, 2009, 1:25 PM

Post #9 of 12 (164 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

Guido van Rossum schrieb:
> On Fri, Nov 6, 2009 at 2:36 PM, <exarkun[at]twistedmatrix.com> wrote:
>> Also, for Python 2.5 and earlier, any SSL-based code is vulnerable to a MitM
>> anyway, so this can only be an issue for code using the new APIs in Python
>> 2.6.
>
> That's not going to stop the
> wannabe-self-proclaimed-so-called-vulnerability-"experts" from whining
> about Python not releasing updated binary distributions though. :-(

Yet it has been quiet on the Finnish front so far :)

Georg

--
Thus spake the Lord: Thou shalt indent with four spaces. No more, no less.
Four shall be the number of spaces thou shalt indent, and the number of thy
indenting shall be four. Eight shalt thou not indent, nor either indent thou
two, excepting that thou then proceed to four. Tabs are right out.

_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

barry at python

Nov 9, 2009, 6:12 AM

Post #10 of 12 (152 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

On Nov 8, 2009, at 12:56 PM, Martin v. L�wis wrote:

>>> Also, for Python 2.5 and earlier, any SSL-based code is vulnerable
>>> to a MitM
>>> anyway, so this can only be an issue for code using the new APIs
>>> in Python
>>> 2.6.
>>
>> That's not going to stop the
>> wannabe-self-proclaimed-so-called-vulnerability-"experts" from
>> whining
>> about Python not releasing updated binary distributions though. :-(
>
> The Windows binaries currently build with 0.9.8g. Since changing that
> would be a source code change (even though just a single line), I
> think
> a full source release would be necessary (most likely then for both
> 2.6
> and 3.1).

I don't think it's worth making a quick 2.6.5 release for this if it's
primary intent is to produce new Windows binaries. I'm okay with
making the changes to the tree, but we'll release 2.6.5 on a "normal"
schedule.

-Barry

Attachments:

PGP.sig (0.19 KB)

ncoghlan at gmail

Nov 10, 2009, 6:28 AM

Post #11 of 12 (152 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

Barry Warsaw wrote:
> I don't think it's worth making a quick 2.6.5 release for this if it's
> primary intent is to produce new Windows binaries. I'm okay with making
> the changes to the tree, but we'll release 2.6.5 on a "normal" schedule.

Perhaps publish a source patch relative to 2.6.4 for people that would
like to rebuild their own Windows binaries with just that change?

Cheers,
Nick.

--
Nick Coghlan | ncoghlan[at]gmail.com | Brisbane, Australia
---------------------------------------------------------------
_______________________________________________
Python-Dev mailing list
Python-Dev[at]python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/list-python-dev%40lists.gossamer-threads.com

barry at python

Nov 10, 2009, 6:34 AM

Post #12 of 12 (152 views)
Permalink

Re: OpenSSL vulnerability [In reply to]

On Nov 10, 2009, at 8:28 AM, Nick Coghlan wrote:

> Barry Warsaw wrote:
>> I don't think it's worth making a quick 2.6.5 release for this if
>> it's
>> primary intent is to produce new Windows binaries. I'm okay with
>> making
>> the changes to the tree, but we'll release 2.6.5 on a "normal"
>> schedule.
>
> Perhaps publish a source patch relative to 2.6.4 for people that would
> like to rebuild their own Windows binaries with just that change?

+1. A link to that could easily go on the 2.6.4 page. Perhaps the
right way to do it is to put the blessed patch in roundup and add a
link to that patch file on the website.

-Barry

Attachments:

PGP.sig (0.19 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com