From a34e1132b18da85b72662c60a584800d9afbc3c3 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 28 Jul 2025 10:36:20 +0200 Subject: [PATCH 1/2] Commit --- Lib/ssl.py | 2 ++ Lib/test/test_ssl.py | 6 ++++++ .../Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst | 2 ++ 3 files changed, 10 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst diff --git a/Lib/ssl.py b/Lib/ssl.py index cb5ec51681e1ca..a78e6acbfbc982 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -520,6 +520,8 @@ def wrap_bio(self, incoming, outgoing, server_side=False, def set_npn_protocols(self, npn_protocols): protos = bytearray() + if not npn_protocols: + raise SSLError('NPN protocols must not be empty') for protocol in npn_protocols: b = bytes(protocol, 'ascii') if len(b) == 0 or len(b) > 255: diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index b9163ae0d5e361..a2e771ed7fd669 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -4219,6 +4219,12 @@ def test_npn_protocols(self): if len(stats['server_npn_protocols']) else 'nothing' self.assertEqual(server_result, expected, msg % (server_result, "server")) + def test_empty_npn_protocols(self): + """npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227""" + client_context, server_context, hostname = testing_context() + with self.assertRaises(ssl.SSLError): + server_context.set_npn_protocols([]) + def sni_contexts(self): server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) server_context.load_cert_chain(SIGNED_CERTFILE) diff --git a/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst new file mode 100644 index 00000000000000..bb52fc94a5b036 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst @@ -0,0 +1,2 @@ +Raise an :exc:`SSL.SSLError` if an empty *protocols* argument is passed to +:meth:`ssl.SSLContext.set_npn_protocols` to fix :cve:`CVE-2024-5642`. From be945dd6a2106ef23225e73bb7a110e401020cf2 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Mon, 28 Jul 2025 10:44:09 +0200 Subject: [PATCH 2/2] Fix blurb entry for 3.9 --- .../Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst index bb52fc94a5b036..6350f74a396f21 100644 --- a/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst +++ b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst @@ -1,2 +1,2 @@ Raise an :exc:`SSL.SSLError` if an empty *protocols* argument is passed to -:meth:`ssl.SSLContext.set_npn_protocols` to fix :cve:`CVE-2024-5642`. +:meth:`ssl.SSLContext.set_npn_protocols` to fix ``CVE-2024-5642``.