Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.10] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108318

Merged
merged 1 commit into from
Aug 22, 2023

Commits on Aug 22, 2023

  1. pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

    …ose flaw
    
    Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
    and included protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    
    The vulnerability is caused when a socket is connected, data is sent by the
    malicious peer and stored in a buffer, and then the malicious peer closes the
    socket within a small timing window before the other peers’ TLS handshake can
    begin. After this sequence of events the closed socket will not immediately
    attempt a TLS handshake due to not being connected but will also allow the
    buffered data to be read as if a successful TLS handshake had occurred.
    
    Co-Authored-By: Gregory P. Smith [Google LLC] <[email protected]>
    ambv and gpshead committed Aug 22, 2023
    Configuration menu
    Copy the full SHA
    621a117 View commit details
    Browse the repository at this point in the history