Untriaged
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.
References
- https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424 x_refsource_CONFIRM
- https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 x_refsource_MISC
- https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst#L27 x_refsource_MISC
Affected products
pyopenssl
- ==>= 0.14.0, < 26.0.0
Matching in nixpkgs
pkgs.python312Packages.pyopenssl
Python wrapper around the OpenSSL library
pkgs.python313Packages.pyopenssl
Python wrapper around the OpenSSL library
pkgs.python314Packages.pyopenssl
Python wrapper around the OpenSSL library
pkgs.python312Packages.types-pyopenssl
Typing stubs for pyopenssl
-
nixos-25.11 24.1.0.20240722
- nixos-25.11-small 24.1.0.20240722
- nixpkgs-25.11-darwin 24.1.0.20240722
pkgs.python313Packages.types-pyopenssl
Typing stubs for pyopenssl
-
nixos-unstable 24.1.0.20240722
- nixpkgs-unstable 24.1.0.20240722
- nixos-unstable-small 24.1.0.20240722
-
nixos-25.11 24.1.0.20240722
- nixos-25.11-small 24.1.0.20240722
- nixpkgs-25.11-darwin 24.1.0.20240722
pkgs.python314Packages.types-pyopenssl
Typing stubs for pyopenssl
-
nixos-unstable 24.1.0.20240722
- nixpkgs-unstable 24.1.0.20240722
- nixos-unstable-small 24.1.0.20240722
Package maintainers
-
@gador Florian Brandes <florian.brandes@posteo.de>