-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl: Fix locking in cert_store_stats and get_ca_certs #114572
Labels
type-bug
An unexpected behavior, bug, or error
Comments
davidben
added a commit
to davidben/cpython
that referenced
this issue
Jan 25, 2024
cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock.
alex
pushed a commit
that referenced
this issue
Feb 16, 2024
* gh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Feb 16, 2024
…thonGH-114573) * pythongh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Feb 16, 2024
…thonGH-114573) * pythongh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
This was referenced Feb 16, 2024
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Feb 16, 2024
…thonGH-114573) * pythongh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
pablogsal
pushed a commit
that referenced
this issue
Feb 20, 2024
…H-114573) (#115549) gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) * gh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
pablogsal
pushed a commit
that referenced
this issue
Feb 20, 2024
…H-114573) (#115548) gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) * gh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
encukou
pushed a commit
that referenced
this issue
Feb 29, 2024
…H-114573) (GH-115547) gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) * gh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
Closing as the PR has been merged and backported. Thanks! |
diegorusso
pushed a commit
to diegorusso/cpython
that referenced
this issue
Apr 17, 2024
…thon#114573) * pythongh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb
sethmlarson
added a commit
to sethmlarson/cpython
that referenced
this issue
Apr 19, 2024
sethmlarson
added a commit
to sethmlarson/cpython
that referenced
this issue
Apr 30, 2024
…ca_certs (cherry picked from commit 732c7d5) Co-authored-by: Seth Michael Larson <seth@python.org>
ambv
pushed a commit
that referenced
this issue
May 10, 2024
ambv
pushed a commit
that referenced
this issue
May 10, 2024
gentoo-bot
pushed a commit
to gentoo/cpython
that referenced
this issue
May 21, 2024
…rts (pythonGH-114573) (python#115548) pythongh-114572: Fix locking in cert_store_stats and get_ca_certs (pythonGH-114573) * pythongh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
gentoo-bot
pushed a commit
to gentoo/cpython
that referenced
this issue
May 21, 2024
…rts (pythonGH-114573) (python#115548) pythongh-114572: Fix locking in cert_store_stats and get_ca_certs (pythonGH-114573) * pythongh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
mcepl
pushed a commit
to openSUSE-Python/cpython
that referenced
this issue
Jun 21, 2024
cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See gh#openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. From-PR: gh#python/cpython!114573 Fixes: gh#python#114572 Fixes: bsc#1226447 (CVE-2024-0397) Patch: CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 27, 2024
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 27, 2024
Backported from Python3.8 pythongh-114572
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 27, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and get_ca_certs python#118442
icanhasmath
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 27, 2024
CVE-2024-0397 Fix for the problem, backported from Python3.8 pythongh-114572
icanhasmath
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 27, 2024
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 28, 2024
Backport python@e8268b1 Which is pythongh-114572
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 28, 2024
Backport python@e8268b1 Which is pythongh-114572
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 29, 2024
Backport python@e8268b1 Which is pythongh-114572
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jun 29, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and get_ca_certs python#118442
rickprice
added a commit
to ActiveState/cpython
that referenced
this issue
Jul 12, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and get_ca_certs python#118442
icanhasmath
pushed a commit
to ActiveState/cpython
that referenced
this issue
Aug 8, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and get_ca_certs python#118442
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug report
Bug description:
Filing this to attach a PR to.
cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux, macOS
Linked PRs
The text was updated successfully, but these errors were encountered: