From: Antoine Pitrou Date: Fri, 27 Jan 2012 08:48:47 +0000 (+0100) Subject: Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack... X-Git-Tag: v3.1.5rc1~11 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f2bf8a6ac51530e14d798a03c8e950dd934d85cd;p=python Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure. --- diff --git a/Misc/NEWS b/Misc/NEWS index b14e169a88..b70b097cb7 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,9 @@ Core and Builtins Library ------- +- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC + IV attack countermeasure. + - Issue #11603: Fix a crash when __str__ is rebound as __repr__. Patch by Andreas Stührk. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 8ebdc9b99d..16fbb4db42 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -365,7 +365,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file, } /* ssl compatibility */ - SSL_CTX_set_options(self->ctx, SSL_OP_ALL); + SSL_CTX_set_options(self->ctx, + SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); verification_mode = SSL_VERIFY_NONE; if (certreq == PY_SSL_CERT_OPTIONAL)