Synopsis:
pyOpenSSL security updateSummary:
An update for pyOpenSSL is now available for openEuler-24.03-LTSDescription:
pyOpenSSL is a rather thin wrapper around (a subset of) the OpenSSL library. With thin wrapper we mean that a lot of the object methods do nothing more than calling a corresponding function in the OpenSSL library.
Security Fix(es):
A security vulnerability exists in the PyOpenSSL library's set_tlsext_servername_callback function. When a user-provided callback function raises an unhandled exception, the connection would still be accepted. If a user relies on this callback for any security-sensitive behavior (such as server name-based access control or certificate validation), this vulnerability could allow the security mechanism to be bypassed, potentially permitting unauthorized connections or access.(CVE-2026-27448)
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to set_cookie_generate_callback returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.(CVE-2026-27459)Topic:
An update for pyOpenSSL is now available for openEuler-24.03-LTS.
openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Severity:
CriticalAffected Component:
pyOpenSSL
24.0.0-3.oe240324.0.0-3.oe240324.0.0-3.oe2403Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:H9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H