The ssl module would always disable the CBC IV attack countermeasure. Disable OpenSSL SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option.
Dates:
Disclosure date: 2012-01-27 (Python issue bpo-13885 reported)
Reported by: Apple security team
Python 2.6.8 (2012-04-10) fixed by commit d358e05 (branch 2.6) (2012-01-27)
Python 2.7.3 (2012-04-09) fixed by commit d358e05 (branch 2.6) (2012-01-27)
Python 3.1.5 (2012-04-06) fixed by commit f2bf8a6 (branch 2.7) (2012-01-27)
Python 3.2.3 (2012-04-10) fixed by commit f2bf8a6 (branch 2.7) (2012-01-27)
Python 3.3.0 (2012-09-29) fixed by commit f2bf8a6 (branch 2.7) (2012-01-27)
CVE-2011-3389: _ssl module always disables the CBC IV attack countermeasure.
Python issue: bpo-13885
Creation date: 2012-01-27
Reporter: Antoine Pitrou
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a “BEAST” attack.
CVE ID: CVE-2011-3389
Published: 2011-09-06
CVSS Score: 4.3
Timeline using the disclosure date 2012-01-27 as reference:
2011-09-06 (-143 days): CVE-2011-3389 published
2012-01-27: Python issue bpo-13885 reported by Antoine Pitrou
2012-01-27: commit d358e05 (branch 2.6)
2012-01-27: commit f2bf8a6 (branch 2.7)
2012-04-06 (+70 days): Python 3.1.5 released
2012-04-09 (+73 days): Python 2.7.3 released
2012-04-10 (+74 days): Python 2.6.8 released
2012-04-10 (+74 days): Python 3.2.3 released
2012-09-29: Python 3.3.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4