Skip to content

[3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw#108320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ambv merged 1 commit into from
Aug 22, 2023
Merged

[3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108320

ambv merged 1 commit into from
Aug 22, 2023

Conversation

@ambv
Copy link
Contributor

@ambvambv commented Aug 22, 2023
edited by bedevere-bot
Loading

Instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred.

@ambv@gpshead
pythongh-108310: FixCVE-2023-40217: Check for & avoid the ssl pre-cl…
fc26281
…ose flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Co-Authored-By: Gregory P. Smith [Google LLC] <[email protected]>
@ambvambv requested a review from tiran as a code ownerAugust 22, 2023 17:01
@bedevere-botbedevere-bot mentioned this pull request Aug 22, 2023
Closed
2 tasks
@ambvambv merged commit 264b1da into python:3.9Aug 22, 2023
@ambvambv deleted the cve-2023-40217-3.9 branch August 22, 2023 18:00
@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 RHEL7 LTO + PGO 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/240/builds/601) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/240/builds/601

Failed tests:

  • test_ssl

Failed subtests:

  • test_preauth_data_to_tls_client - test.test_ssl.TestPreHandshakeClose

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

411 tests OK.

10 slowest tests:

  • test_concurrent_futures: 2 min 20 sec
  • test_multiprocessing_spawn: 1 min 31 sec
  • test_multiprocessing_forkserver: 1 min 13 sec
  • test_multiprocessing_fork: 1 min 5 sec
  • test_signal: 46.6 sec
  • test_asyncio: 44.7 sec
  • test_io: 33.0 sec
  • test_pydoc: 31.4 sec
  • test_imaplib: 29.7 sec
  • test_tokenize: 27.7 sec

1 test failed:
test_ssl

13 tests skipped:
test_devpoll test_gdb test_ioctl test_kqueue test_msilib
test_startfile test_tix test_tk test_ttk_guionly test_winconsoleio
test_winreg test_winsound test_zipfile64

1 re-run test:
test_ssl

Total duration: 2 min 28 sec

Click to see traceback logs
Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_8cbe36b6' Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_973e3686' Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_377fe0cd' Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/test/test_ssl.py", line 4988, in test_preauth_data_to_tls_client client.connect(server.listener.getsockname()) ConnectionResetError: [Errno 104] Connection reset by peer

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 macOS 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/726/builds/400) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/726/builds/400

Failed tests:

  • test_asyncio

Failed subtests:

  • test_create_ssl_connection - test.test_asyncio.test_events.KqueueEventLoopTests
  • test_create_ssl_unix_connection - test.test_asyncio.test_events.SelectEventLoopTests
  • test_create_ssl_unix_connection - test.test_asyncio.test_events.PollEventLoopTests
  • test_create_ssl_unix_connection - test.test_asyncio.test_events.KqueueEventLoopTests
  • test_create_ssl_connection - test.test_asyncio.test_events.SelectEventLoopTests
  • test_create_ssl_connection - test.test_asyncio.test_events.PollEventLoopTests

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

405 tests OK.

10 slowest tests:

  • test_concurrent_futures: 2 min 58 sec
  • test_multiprocessing_spawn: 2 min 34 sec
  • test_multiprocessing_forkserver: 1 min 51 sec
  • test_unparse: 1 min 33 sec
  • test_tokenize: 1 min 28 sec
  • test_capi: 1 min 7 sec
  • test_lib2to3: 58.7 sec
  • test_asyncio: 58.3 sec
  • test_unicodedata: 54.0 sec
  • test_logging: 49.1 sec

1 test failed:
test_asyncio

16 tests skipped:
test_devpoll test_epoll test_gdb test_ioctl test_msilib
test_multiprocessing_fork test_ossaudiodev test_spwd
test_startfile test_tix test_tk test_ttk_guionly test_winconsoleio
test_winreg test_winsound test_zipfile64

1 re-run test:
test_asyncio

Total duration: 8 min 53 sec

Click to see traceback logs
Traceback (most recent call last): File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_452cdc06' Traceback (most recent call last): File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 617, in test_create_ssl_connectionself._test_create_ssl_connection(httpd, create_connection, File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 605, in _test_create_ssl_connectionself._basetest_create_ssl_connection(conn_fut, check_sockname, File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 564, in _basetest_create_ssl_connection tr, pr =self.loop.run_until_complete(connection_fut) File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 647, in run_until_completereturn future.result() File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 1090, in create_connection transport, protocol =awaitself._create_connection_transport( File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 1120, in _create_connection_transportawait waiter ConnectionResetError Traceback (most recent call last): File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_ac85ba1a' Traceback (most recent call last): File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 633, in test_create_ssl_unix_connectionself._test_create_ssl_connection(httpd, create_connection, File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 605, in _test_create_ssl_connectionself._basetest_create_ssl_connection(conn_fut, check_sockname, File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 564, in _basetest_create_ssl_connection tr, pr =self.loop.run_until_complete(connection_fut) File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 647, in run_until_completereturn future.result() File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/unix_events.py", line 258, in create_unix_connection transport, protocol =awaitself._create_connection_transport( File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 1120, in _create_connection_transportawait waiter ConnectionResetError

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 RHEL7 LTO 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/412/builds/601) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/412/builds/601

Failed tests:

  • test_ssl

Failed subtests:

  • test_preauth_data_to_tls_client - test.test_ssl.TestPreHandshakeClose

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

412 tests OK.

10 slowest tests:

  • test_concurrent_futures: 2 min 20 sec
  • test_multiprocessing_spawn: 1 min 33 sec
  • test_gdb: 1 min 31 sec
  • test_multiprocessing_forkserver: 1 min 15 sec
  • test_multiprocessing_fork: 1 min 4 sec
  • test_signal: 46.7 sec
  • test_asyncio: 44.9 sec
  • test_peg_generator: 40.9 sec
  • test_io: 34.0 sec
  • test_pydoc: 31.3 sec

1 test failed:
test_ssl

12 tests skipped:
test_devpoll test_ioctl test_kqueue test_msilib test_startfile
test_tix test_tk test_ttk_guionly test_winconsoleio test_winreg
test_winsound test_zipfile64

1 re-run test:
test_ssl

Total duration: 2 min 52 sec

Click to see traceback logs
Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/test/test_ssl.py", line 4988, in test_preauth_data_to_tls_client client.connect(server.listener.getsockname()) ConnectionResetError: [Errno 104] Connection reset by peer Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_ed5fa457' Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_bb406249' Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/multiprocessing/resource_tracker.py", line 201, in main cache[rtype].remove(name) KeyError: '/psm_bff6d2ad'

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 RHEL8 FIPS Only Blake2 Builtin Hash 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/382/builds/638) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/382/builds/638

Failed tests:

  • test_socket

Failed subtests:

  • test_hmac_sha1 - test.test_socket.LinuxKernelCryptoAPI

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

412 tests OK.

10 slowest tests:

  • test_gdb: 6 min 53 sec
  • test_concurrent_futures: 2 min 56 sec
  • test_capi: 2 min 1 sec
  • test_multiprocessing_spawn: 1 min 48 sec
  • test_asyncio: 1 min 41 sec
  • test_unparse: 1 min 22 sec
  • test_multiprocessing_forkserver: 1 min 18 sec
  • test_tokenize: 1 min 15 sec
  • test_peg_generator: 1 min 2 sec
  • test_multiprocessing_fork: 1 min 1 sec

1 test failed:
test_socket

12 tests skipped:
test_devpoll test_ioctl test_kqueue test_msilib test_startfile
test_tix test_tk test_ttk_guionly test_winconsoleio test_winreg
test_winsound test_zipfile64

1 re-run test:
test_socket

Total duration: 12 min 27 sec

Click to see traceback logs
Traceback (most recent call last): File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-fips-x86_64.no-builtin-hashes-except-blake2/build/Lib/test/test_socket.py", line 6268, in test_hmac_sha1 algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, b"Jefe") OSError: [Errno 22] Invalid argument

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot PPC64LE RHEL8 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/250/builds/537) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/250/builds/537

Failed tests:

  • test_gdb

Summary of the results of the build (if available):

==

Click to see traceback logs
remote: Enumerating objects: 3481, done. remote: Counting objects: 0% (1/2076) remote: Counting objects: 1% (21/2076) remote: Counting objects: 2% (42/2076) remote: Counting objects: 3% (63/2076) remote: Counting objects: 4% (84/2076) remote: Counting objects: 5% (104/2076) remote: Counting objects: 6% (125/2076) remote: Counting objects: 7% (146/2076) remote: Counting objects: 8% (167/2076) remote: Counting objects: 9% (187/2076) remote: Counting objects: 10% (208/2076) remote: Counting objects: 11% (229/2076) remote: Counting objects: 12% (250/2076) remote: Counting objects: 13% (270/2076) remote: Counting objects: 14% (291/2076) remote: Counting objects: 15% (312/2076) remote: Counting objects: 16% (333/2076) remote: Counting objects: 17% (353/2076) remote: Counting objects: 18% (374/2076) remote: Counting objects: 19% (395/2076) remote: Counting objects: 20% (416/2076) remote: Counting objects: 21% (436/2076) remote: Counting objects: 22% (457/2076) remote: Counting objects: 23% (478/2076) remote: Counting objects: 24% (499/2076) remote: Counting objects: 25% (519/2076) remote: Counting objects: 26% (540/2076) remote: Counting objects: 27% (561/2076) remote: Counting objects: 28% (582/2076) remote: Counting objects: 29% (603/2076) remote: Counting objects: 30% (623/2076) remote: Counting objects: 31% (644/2076) remote: Counting objects: 32% (665/2076) remote: Counting objects: 33% (686/2076) remote: Counting objects: 34% (706/2076) remote: Counting objects: 35% (727/2076) remote: Counting objects: 36% (748/2076) remote: Counting objects: 37% (769/2076) remote: Counting objects: 38% (789/2076) remote: Counting objects: 39% (810/2076) remote: Counting objects: 40% (831/2076) remote: Counting objects: 41% (852/2076) remote: Counting objects: 42% (872/2076) remote: Counting objects: 43% (893/2076) remote: Counting objects: 44% (914/2076) remote: Counting objects: 45% (935/2076) remote: Counting objects: 46% (955/2076) remote: Counting objects: 47% (976/2076) remote: Counting objects: 48% (997/2076) remote: Counting objects: 49% (1018/2076) remote: Counting objects: 50% (1038/2076) remote: Counting objects: 51% (1059/2076) remote: Counting objects: 52% (1080/2076) remote: Counting objects: 53% (1101/2076) remote: Counting objects: 54% (1122/2076) remote: Counting objects: 55% (1142/2076) remote: Counting objects: 56% (1163/2076) remote: Counting objects: 57% (1184/2076) remote: Counting objects: 58% (1205/2076) remote: Counting objects: 59% (1225/2076) remote: Counting objects: 60% (1246/2076) remote: Counting objects: 61% (1267/2076) remote: Counting objects: 62% (1288/2076) remote: Counting objects: 63% (1308/2076) remote: Counting objects: 64% (1329/2076) remote: Counting objects: 65% (1350/2076) remote: Counting objects: 66% (1371/2076) remote: Counting objects: 67% (1391/2076) remote: Counting objects: 68% (1412/2076) remote: Counting objects: 69% (1433/2076) remote: Counting objects: 70% (1454/2076) remote: Counting objects: 71% (1474/2076) remote: Counting objects: 72% (1495/2076) remote: Counting objects: 73% (1516/2076) remote: Counting objects: 74% (1537/2076) remote: Counting objects: 75% (1557/2076) remote: Counting objects: 76% (1578/2076) remote: Counting objects: 77% (1599/2076) remote: Counting objects: 78% (1620/2076) remote: Counting objects: 79% (1641/2076) remote: Counting objects: 80% (1661/2076) remote: Counting objects: 81% (1682/2076) remote: Counting objects: 82% (1703/2076) remote: Counting objects: 83% (1724/2076) remote: Counting objects: 84% (1744/2076) remote: Counting objects: 85% (1765/2076) remote: Counting objects: 86% (1786/2076) remote: Counting objects: 87% (1807/2076) remote: Counting objects: 88% (1827/2076) remote: Counting objects: 89% (1848/2076) remote: Counting objects: 90% (1869/2076) remote: Counting objects: 91% (1890/2076) remote: Counting objects: 92% (1910/2076) remote: Counting objects: 93% (1931/2076) remote: Counting objects: 94% (1952/2076) remote: Counting objects: 95% (1973/2076) remote: Counting objects: 96% (1993/2076) remote: Counting objects: 97% (2014/2076) remote: Counting objects: 98% (2035/2076) remote: Counting objects: 99% (2056/2076) remote: Counting objects: 100% (2076/2076) remote: Counting objects: 100% (2076/2076), done. remote: Compressing objects: 33% (1/3) remote: Compressing objects: 66% (2/3) remote: Compressing objects: 100% (3/3) remote: Compressing objects: 100% (3/3), done.  Receiving objects: 0% (1/3481) Receiving objects: 1% (35/3481) Receiving objects: 2% (70/3481) Receiving objects: 3% (105/3481) Receiving objects: 4% (140/3481) Receiving objects: 5% (175/3481) Receiving objects: 6% (209/3481) Receiving objects: 7% (244/3481) Receiving objects: 8% (279/3481) Receiving objects: 9% (314/3481) Receiving objects: 10% (349/3481) Receiving objects: 11% (383/3481) Receiving objects: 12% (418/3481) Receiving objects: 13% (453/3481) Receiving objects: 14% (488/3481) Receiving objects: 15% (523/3481) Receiving objects: 16% (557/3481) Receiving objects: 17% (592/3481) Receiving objects: 18% (627/3481) Receiving objects: 19% (662/3481) Receiving objects: 20% (697/3481) Receiving objects: 21% (732/3481) Receiving objects: 22% (766/3481) Receiving objects: 23% (801/3481) Receiving objects: 24% (836/3481) Receiving objects: 25% (871/3481) Receiving objects: 26% (906/3481) Receiving objects: 27% (940/3481) Receiving objects: 28% (975/3481) Receiving objects: 29% (1010/3481) Receiving objects: 30% (1045/3481) Receiving objects: 31% (1080/3481) Receiving objects: 32% (1114/3481) Receiving objects: 33% (1149/3481) Receiving objects: 34% (1184/3481) Receiving objects: 35% (1219/3481) Receiving objects: 36% (1254/3481) Receiving objects: 37% (1288/3481) Receiving objects: 38% (1323/3481) Receiving objects: 39% (1358/3481) Receiving objects: 40% (1393/3481) Receiving objects: 41% (1428/3481) Receiving objects: 42% (1463/3481) Receiving objects: 43% (1497/3481) Receiving objects: 44% (1532/3481) Receiving objects: 45% (1567/3481) Receiving objects: 46% (1602/3481) Receiving objects: 47% (1637/3481) Receiving objects: 48% (1671/3481) Receiving objects: 49% (1706/3481) Receiving objects: 50% (1741/3481) Receiving objects: 51% (1776/3481) Receiving objects: 52% (1811/3481) Receiving objects: 53% (1845/3481) Receiving objects: 54% (1880/3481) Receiving objects: 55% (1915/3481) Receiving objects: 56% (1950/3481) Receiving objects: 57% (1985/3481) Receiving objects: 58% (2019/3481) Receiving objects: 59% (2054/3481) Receiving objects: 60% (2089/3481) Receiving objects: 61% (2124/3481) Receiving objects: 62% (2159/3481) Receiving objects: 63% (2194/3481) Receiving objects: 64% (2228/3481) Receiving objects: 65% (2263/3481) Receiving objects: 66% (2298/3481) Receiving objects: 67% (2333/3481) Receiving objects: 68% (2368/3481) Receiving objects: 69% (2402/3481) Receiving objects: 70% (2437/3481) Receiving objects: 71% (2472/3481) Receiving objects: 72% (2507/3481) Receiving objects: 73% (2542/3481) Receiving objects: 74% (2576/3481) Receiving objects: 75% (2611/3481) Receiving objects: 76% (2646/3481) Receiving objects: 77% (2681/3481) Receiving objects: 78% (2716/3481) Receiving objects: 79% (2750/3481) Receiving objects: 80% (2785/3481) Receiving objects: 81% (2820/3481) Receiving objects: 82% (2855/3481) Receiving objects: 83% (2890/3481) Receiving objects: 84% (2925/3481) Receiving objects: 85% (2959/3481) Receiving objects: 86% (2994/3481) Receiving objects: 87% (3029/3481) Receiving objects: 88% (3064/3481) Receiving objects: 89% (3099/3481) Receiving objects: 90% (3133/3481) Receiving objects: 91% (3168/3481) Receiving objects: 92% (3203/3481) Receiving objects: 93% (3238/3481) Receiving objects: 94% (3273/3481) remote: Total 3481 (delta 2073), reused 2073 (delta 2073), pack-reused 1405  Receiving objects: 95% (3307/3481) Receiving objects: 96% (3342/3481) Receiving objects: 97% (3377/3481) Receiving objects: 98% (3412/3481) Receiving objects: 99% (3447/3481) Receiving objects: 100% (3481/3481) Receiving objects: 100% (3481/3481), 5.93 MiB | 13.97 MiB/s, done. Resolving deltas: 0% (0/2709) Resolving deltas: 1% (28/2709) Resolving deltas: 2% (55/2709) Resolving deltas: 3% (82/2709) Resolving deltas: 4% (109/2709) Resolving deltas: 5% (136/2709) Resolving deltas: 6% (164/2709) Resolving deltas: 7% (190/2709) Resolving deltas: 8% (217/2709) Resolving deltas: 9% (244/2709) Resolving deltas: 10% (271/2709) Resolving deltas: 11% (298/2709) Resolving deltas: 12% (326/2709) Resolving deltas: 13% (354/2709) Resolving deltas: 14% (381/2709) Resolving deltas: 15% (407/2709) Resolving deltas: 16% (434/2709) Resolving deltas: 17% (461/2709) Resolving deltas: 18% (488/2709) Resolving deltas: 19% (516/2709) Resolving deltas: 20% (542/2709) Resolving deltas: 21% (569/2709) Resolving deltas: 22% (596/2709) Resolving deltas: 23% (624/2709) Resolving deltas: 24% (651/2709) Resolving deltas: 25% (678/2709) Resolving deltas: 26% (705/2709) Resolving deltas: 27% (732/2709) Resolving deltas: 28% (759/2709) Resolving deltas: 29% (786/2709) Resolving deltas: 30% (813/2709) Resolving deltas: 31% (840/2709) Resolving deltas: 32% (867/2709) Resolving deltas: 33% (894/2709) Resolving deltas: 34% (922/2709) Resolving deltas: 35% (949/2709) Resolving deltas: 36% (976/2709) Resolving deltas: 37% (1003/2709) Resolving deltas: 38% (1030/2709) Resolving deltas: 39% (1057/2709) Resolving deltas: 40% (1084/2709) Resolving deltas: 41% (1111/2709) Resolving deltas: 42% (1138/2709) Resolving deltas: 43% (1165/2709) Resolving deltas: 44% (1192/2709) Resolving deltas: 45% (1220/2709) Resolving deltas: 46% (1247/2709) Resolving deltas: 47% (1274/2709) Resolving deltas: 48% (1301/2709) Resolving deltas: 49% (1328/2709) Resolving deltas: 50% (1355/2709) Resolving deltas: 51% (1382/2709) Resolving deltas: 52% (1409/2709) Resolving deltas: 53% (1436/2709) Resolving deltas: 54% (1463/2709) Resolving deltas: 55% (1490/2709) Resolving deltas: 56% (1518/2709) Resolving deltas: 57% (1545/2709) Resolving deltas: 58% (1572/2709) Resolving deltas: 59% (1599/2709) Resolving deltas: 60% (1626/2709) Resolving deltas: 61% (1653/2709) Resolving deltas: 62% (1680/2709) Resolving deltas: 63% (1707/2709) Resolving deltas: 64% (1734/2709) Resolving deltas: 65% (1761/2709) Resolving deltas: 66% (1788/2709) Resolving deltas: 67% (1816/2709) Resolving deltas: 68% (1843/2709) Resolving deltas: 69% (1870/2709) Resolving deltas: 69% (1880/2709) Resolving deltas: 70% (1897/2709) Resolving deltas: 71% (1924/2709) Resolving deltas: 72% (1951/2709) Resolving deltas: 72% (1958/2709) Resolving deltas: 73% (1978/2709) Resolving deltas: 74% (2005/2709) Resolving deltas: 75% (2032/2709) Resolving deltas: 75% (2036/2709) Resolving deltas: 76% (2059/2709) Resolving deltas: 77% (2086/2709) Resolving deltas: 78% (2114/2709) Resolving deltas: 79% (2141/2709) Resolving deltas: 80% (2168/2709) Resolving deltas: 81% (2195/2709) Resolving deltas: 82% (2222/2709) Resolving deltas: 83% (2249/2709) Resolving deltas: 84% (2276/2709) Resolving deltas: 85% (2303/2709) Resolving deltas: 85% (2325/2709) Resolving deltas: 86% (2330/2709) Resolving deltas: 87% (2357/2709) Resolving deltas: 88% (2384/2709) Resolving deltas: 89% (2412/2709) Resolving deltas: 90% (2439/2709) Resolving deltas: 91% (2466/2709) Resolving deltas: 91% (2475/2709) Resolving deltas: 92% (2493/2709) Resolving deltas: 93% (2520/2709) Resolving deltas: 94% (2547/2709) Resolving deltas: 95% (2574/2709) Resolving deltas: 96% (2601/2709) Resolving deltas: 97% (2628/2709) Resolving deltas: 98% (2655/2709) Resolving deltas: 99% (2682/2709) Resolving deltas: 100% (2709/2709) Resolving deltas: 100% (2709/2709), completed with 712 local objects. From https://github.com/python/cpython * branch 3.9 -> FETCH_HEAD * [new tag] 3.7 -> 3.7 * [new tag] v3.12.0b3 -> v3.12.0b3 * [new tag] v3.12.0b4 -> v3.12.0b4 * [new tag] v3.12.0rc1 -> v3.12.0rc1 Note: switching to '264b1dacc67346efa0933d1e63f622676e0ed96b'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example: git switch -c <new-branch-name> Or undo this operation with: git switch - Turn off this advice by setting config variable advice.detachedHead to false HEAD is now at 264b1dacc6 [3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320) Switched to and reset branch '3.9' configure: WARNING: unrecognized options: --without-static-libpythonconfigure: WARNING: unrecognized options: --without-static-libpython../Modules/_threadmodule.c: In function ‘local_clear’: ../Modules/_threadmodule.c:812:20: warning: unused variable ‘tstate’ [-Wunused-variable] PyThreadState *tstate;^~~~~~ test_msilib skipped -- No module named '_msi' test_startfile skipped -- object <module 'os' from '/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/build_oot/../Lib/os.py'> has no attribute 'startfile' test_kqueue skipped -- test works only on BSD test_ioctl skipped -- Unable to open /dev/tty test_winsound skipped -- No module named 'winsound' test_winreg skipped -- No module named 'winreg' test_tk skipped -- Tk unavailable due to TclError: no display name and no $DISPLAY environment variab [...] test_winconsoleio skipped -- test only relevant on win32 test_flock (__main__.FNTLEINTRTest) ... ok test_lockf (__main__.FNTLEINTRTest) ... ok test_read (__main__.OSEINTRTest) ... ok test_wait (__main__.OSEINTRTest) ... ok test_wait3 (__main__.OSEINTRTest) ... ok test_wait4 (__main__.OSEINTRTest) ... ok test_waitpid (__main__.OSEINTRTest) ... ok test_write (__main__.OSEINTRTest) ... ok test_devpoll (__main__.SelectEINTRTest) ... skipped 'need select.devpoll' test_epoll (__main__.SelectEINTRTest) ... ok test_kqueue (__main__.SelectEINTRTest) ... skipped 'need select.kqueue' test_poll (__main__.SelectEINTRTest) ... ok test_select (__main__.SelectEINTRTest) ... ok test_sigtimedwait (__main__.SignalEINTRTest) ... ok test_sigwaitinfo (__main__.SignalEINTRTest) ... ok test_accept (__main__.SocketEINTRTest) ... ok test_open (__main__.SocketEINTRTest) ... ok test_os_open (__main__.SocketEINTRTest) ... ok test_recv (__main__.SocketEINTRTest) ... ok test_recvmsg (__main__.SocketEINTRTest) ... ok test_send (__main__.SocketEINTRTest) ... ok test_sendall (__main__.SocketEINTRTest) ... ok test_sendmsg (__main__.SocketEINTRTest) ... ok test_sleep (__main__.TimeEINTRTest) ... ok ---------------------------------------------------------------------- Ran 24 tests in 10.625s OK (skipped=2) test_ttk_guionly skipped -- Tk unavailable due to TclError: no display name and no $DISPLAY environment variab [...] test_zipfile64 skipped -- test requires loads of disk-space bytes and a long time to run test_tix skipped -- Tk unavailable due to TclError: no display name and no $DISPLAY environment variab [...] test_devpoll skipped -- test works only on Solaris OS family <string>:2: PendingDeprecationWarning: lib2to3 package is deprecated and may not be able to parse Python 3.10+ Timeout (0:15:00)! Thread 0x00007fffa3cf5320 (most recent call first): File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/selectors.py", line 416 in select File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1995 in _communicate File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1134 in communicate File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 112 in run_gdb File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 226 in get_stack_trace File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 909 in test_pycfunction File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 550 in _callTestMethod File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 592 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 651 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/runner.py", line 184 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1850 in _run_suite File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1974 in run_unittest File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 263 in _test_module File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 288 in _runtest_inner2 File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 326 in _runtest_inner File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 204 in _runtest File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 247 in runtest File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest_mp.py", line 83 in run_tests_worker File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 692 in _main File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 672 in main File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 733 in main File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/regrtest.py", line 43 in _main File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/regrtest.py", line 47 in <module> File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 87 in _run_code File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 197 in _run_module_as_main Timeout (0:15:00)! Thread 0x00007fff9e8e5320 (most recent call first): File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/selectors.py", line 416 in select File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1995 in _communicate File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1134 in communicate File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 112 in run_gdb File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 226 in get_stack_trace File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 909 in test_pycfunction File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 550 in _callTestMethod File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 592 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 651 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__ File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/runner.py", line 184 in run File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1850 in _run_suite File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1974 in run_unittest File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 263 in _test_module File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 288 in _runtest_inner2 File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 326 in _runtest_inner File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 217 in _runtest File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 247 in runtest File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 334 in rerun_failed_tests File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 716 in _main File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 672 in main File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 733 in main File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/__main__.py", line 2 in <module> File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 87 in _run_code File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 197 in _run_module_as_main make: *** [Makefile:1240: buildbottest] Error 1 Cannot open file '/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/build_oot/test-results.xml' for upload

carlosroman pushed a commit to DataDog/cpython that referenced this pull request Oct 11, 2023
@ambv@gpshead@carlosroman
[3.9]pythongh-108310: FixCVE-2023-40217: Check for & avoid the ssl …
6368a8e
…pre-close flaw (python#108320) pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tirantiranAwaiting requested review from tirantiran is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ambv@bedevere-bot