From: "Yoann Congal" <yoann.congal@smile.fr>
To: <vanusuri@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448
Date: Sat, 28 Mar 2026 00:22:59 +0100 [thread overview]
Message-ID: <DHDY9F8XP2QC.1FPKRXZ97INT7@smile.fr> (raw)
In-Reply-To: <20260325072340.112787-1-vanusuri@mvista.com>
On Wed Mar 25, 2026 at 8:23 AM CET, Vijay Anusuri via lists.openembedded.org wrote:
> Pick patch mentioned in NVD
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
> [2] https://ubuntu.com/security/CVE-2026-27448
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
Hello,
As far as I can tell, this CVE also applies to whinlatter. You need to
send the fix there before I can take it for scarthgap and kirkstone.
That also applies to the 2/2 patch.
Regards,
> .../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++
> .../python/python3-pyopenssl_24.0.0.bb | 4 +
> 2 files changed, 128 insertions(+)
> create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
>
> diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> new file mode 100644
> index 0000000000..87f46b4cb0
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> @@ -0,0 +1,124 @@
> +From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
> +From: Alex Gaynor <alex.gaynor@gmail.com>
> +Date: Mon, 16 Feb 2026 21:04:37 -0500
> +Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
> + (#1478)
> +
> +When the servername callback raises an exception, call sys.excepthook
> +with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
> +the handshake. Previously, exceptions would propagate uncaught through
> +the CFFI callback boundary.
> +
> +https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
> +
> +Co-authored-by: Claude <noreply@anthropic.com>
> +
> +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
> +CVE: CVE-2026-27448
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + CHANGELOG.rst | 1 +
> + src/OpenSSL/SSL.py | 7 ++++++-
> + tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++
> + 3 files changed, 57 insertions(+), 1 deletion(-)
> +
> +diff --git a/CHANGELOG.rst b/CHANGELOG.rst
> +index 6e23770..12e60e4 100644
> +--- a/CHANGELOG.rst
> ++++ b/CHANGELOG.rst
> +@@ -18,6 +18,7 @@ Changes:
> +
> + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
> + `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
> ++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
> +
> + 23.3.0 (2023-10-25)
> + -------------------
> +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
> +index 4db5240..a6263c4 100644
> +--- a/src/OpenSSL/SSL.py
> ++++ b/src/OpenSSL/SSL.py
> +@@ -1,5 +1,6 @@
> + import os
> + import socket
> ++import sys
> + import typing
> + from errno import errorcode
> + from functools import partial, wraps
> +@@ -1567,7 +1568,11 @@ class Context:
> +
> + @wraps(callback)
> + def wrapper(ssl, alert, arg):
> +- callback(Connection._reverse_mapping[ssl])
> ++ try:
> ++ callback(Connection._reverse_mapping[ssl])
> ++ except Exception:
> ++ sys.excepthook(*sys.exc_info())
> ++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
> + return 0
> +
> + self._tlsext_servername_callback = _ffi.callback(
> +diff --git a/tests/test_ssl.py b/tests/test_ssl.py
> +index ca5bf83..55489b9 100644
> +--- a/tests/test_ssl.py
> ++++ b/tests/test_ssl.py
> +@@ -1855,6 +1855,56 @@ class TestServerNameCallback:
> +
> + assert args == [(server, b"foo1.example.com")]
> +
> ++ def test_servername_callback_exception(
> ++ self, monkeypatch: pytest.MonkeyPatch
> ++ ) -> None:
> ++ """
> ++ When the callback passed to `Context.set_tlsext_servername_callback`
> ++ raises an exception, ``sys.excepthook`` is called with the exception
> ++ and the handshake fails with an ``Error``.
> ++ """
> ++ exc = TypeError("server name callback failed")
> ++
> ++ def servername(conn: Connection) -> None:
> ++ raise exc
> ++
> ++ excepthook_calls: list[
> ++ tuple[type[BaseException], BaseException, object]
> ++ ] = []
> ++
> ++ def custom_excepthook(
> ++ exc_type: type[BaseException],
> ++ exc_value: BaseException,
> ++ exc_tb: object,
> ++ ) -> None:
> ++ excepthook_calls.append((exc_type, exc_value, exc_tb))
> ++
> ++ context = Context(SSLv23_METHOD)
> ++ context.set_tlsext_servername_callback(servername)
> ++
> ++ # Necessary to actually accept the connection
> ++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
> ++ context.use_certificate(
> ++ load_certificate(FILETYPE_PEM, server_cert_pem)
> ++ )
> ++
> ++ # Do a little connection to trigger the logic
> ++ server = Connection(context, None)
> ++ server.set_accept_state()
> ++
> ++ client = Connection(Context(SSLv23_METHOD), None)
> ++ client.set_connect_state()
> ++ client.set_tlsext_host_name(b"foo1.example.com")
> ++
> ++ monkeypatch.setattr(sys, "excepthook", custom_excepthook)
> ++ with pytest.raises(Error):
> ++ interact_in_memory(server, client)
> ++
> ++ assert len(excepthook_calls) == 1
> ++ assert excepthook_calls[0][0] is TypeError
> ++ assert excepthook_calls[0][1] is exc
> ++ assert excepthook_calls[0][2] is not None
> ++
> +
> + class TestApplicationLayerProtoNegotiation:
> + """
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> index 116f214bfa..bc0b568a46 100644
> --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> @@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33
> PYPI_PACKAGE = "pyOpenSSL"
> inherit pypi setuptools3
>
> +SRC_URI += " \
> + file://CVE-2026-27448.patch \
> +"
> +
> PACKAGES =+ "${PN}-tests"
> FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
>
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-03-27 23:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 7:23 [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri
2026-03-25 7:23 ` [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 Vijay Anusuri
2026-03-27 23:22 ` Yoann Congal [this message]
2026-03-28 2:11 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHDY9F8XP2QC.1FPKRXZ97INT7@smile.fr \
--to=yoann.congal@smile.fr \
--cc=openembedded-core@lists.openembedded.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox