File CVE-2024-5642-switch-off-NPN.patch of Package python3

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-5642-switch-off-NPN.patch of Package python3

From 1036c4b046f72fdcae8b893dae082de735a30e4d Mon Sep 17 00:00:00 2001
From: Adrian Bunk <bunk@debian.org>
Date: Tue, 23 Jul 2024 15:44:00 +0200
Subject: [PATCH] [CVE-2024-5642] Switch off NPN support

Fixes: gh#python/cpython#121227
Fixes: bsc#1227233 (CVE-2024-5642)
Fixes: https://security-tracker.debian.org/tracker/CVE-2024-5642
From-PR: gh#python/cpython#121227#issuecomment-2245302832
Patch: CVE-2024-5642-switch-off-NPN.patch
---
 Modules/_ssl.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index aafca11016e..179220e8fcf 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -148,16 +148,10 @@ struct py_ssl_library_code {
  * reasons. The check for TLSEXT_TYPE_next_proto_neg works with
  * OpenSSL 1.0.1+ and LibreSSL.
  * OpenSSL 1.1.1-pre1 dropped NPN but still has TLSEXT_TYPE_next_proto_neg.
+ *
+ * Fix for CVE-2024-5642: we just switch NPN completely
  */
-#ifdef OPENSSL_NO_NEXTPROTONEG
 # define HAVE_NPN 0
-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
-# define HAVE_NPN 0
-#elif defined(TLSEXT_TYPE_next_proto_neg)
-# define HAVE_NPN 1
-#else
-# define HAVE_NPN 0
-#endif
 
 #ifndef INVALID_SOCKET /* MS defines this */
 #define INVALID_SOCKET (-1)
-- 
2.46.0

Places

File CVE-2024-5642-switch-off-NPN.patch of Package python3

Places