mirror of
https://github.com/python/cpython.git
synced 2025-12-23 09:19:18 +00:00
0cb0c238d5
Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org> |
||
|---|---|---|
| .. | ||
| 2023-03-07-21-46-29.gh-issue-102509.5ouaH_.rst | ||
| 2023-05-24-09-29-08.gh-issue-99108.hwS2cr.rst | ||
| 2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst | ||
| 2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | ||
| 2023-08-05-03-51-05.gh-issue-107774.VPjaTR.rst | ||
| 2023-08-22-17-39-12.gh-issue-108310.fVM3sg.rst | ||
| README.rst | ||
Put news entry `blurb`_ files for the *Security* section in this directory. .. _blurb: https://pypi.org/project/blurb/