* [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448
@ 2026-03-25 7:23 Vijay Anusuri
2026-03-25 7:23 ` [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 Vijay Anusuri
2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
0 siblings, 2 replies; 4+ messages in thread
From: Vijay Anusuri @ 2026-03-25 7:23 UTC (permalink / raw)
To: openembedded-core; +Cc: Vijay Anusuri
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
[2] https://ubuntu.com/security/CVE-2026-27448
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++
.../python/python3-pyopenssl_24.0.0.bb | 4 +
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
new file mode 100644
index 0000000000..87f46b4cb0
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
@@ -0,0 +1,124 @@
+From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 16 Feb 2026 21:04:37 -0500
+Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
+ (#1478)
+
+When the servername callback raises an exception, call sys.excepthook
+with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
+the handshake. Previously, exceptions would propagate uncaught through
+the CFFI callback boundary.
+
+https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
+
+Co-authored-by: Claude <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
+CVE: CVE-2026-27448
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst | 1 +
+ src/OpenSSL/SSL.py | 7 ++++++-
+ tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 6e23770..12e60e4 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -18,6 +18,7 @@ Changes:
+
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+ `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+
+ 23.3.0 (2023-10-25)
+ -------------------
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index 4db5240..a6263c4 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1,5 +1,6 @@
+ import os
+ import socket
++import sys
+ import typing
+ from errno import errorcode
+ from functools import partial, wraps
+@@ -1567,7 +1568,11 @@ class Context:
+
+ @wraps(callback)
+ def wrapper(ssl, alert, arg):
+- callback(Connection._reverse_mapping[ssl])
++ try:
++ callback(Connection._reverse_mapping[ssl])
++ except Exception:
++ sys.excepthook(*sys.exc_info())
++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
+ return 0
+
+ self._tlsext_servername_callback = _ffi.callback(
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index ca5bf83..55489b9 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1855,6 +1855,56 @@ class TestServerNameCallback:
+
+ assert args == [(server, b"foo1.example.com")]
+
++ def test_servername_callback_exception(
++ self, monkeypatch: pytest.MonkeyPatch
++ ) -> None:
++ """
++ When the callback passed to `Context.set_tlsext_servername_callback`
++ raises an exception, ``sys.excepthook`` is called with the exception
++ and the handshake fails with an ``Error``.
++ """
++ exc = TypeError("server name callback failed")
++
++ def servername(conn: Connection) -> None:
++ raise exc
++
++ excepthook_calls: list[
++ tuple[type[BaseException], BaseException, object]
++ ] = []
++
++ def custom_excepthook(
++ exc_type: type[BaseException],
++ exc_value: BaseException,
++ exc_tb: object,
++ ) -> None:
++ excepthook_calls.append((exc_type, exc_value, exc_tb))
++
++ context = Context(SSLv23_METHOD)
++ context.set_tlsext_servername_callback(servername)
++
++ # Necessary to actually accept the connection
++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++ context.use_certificate(
++ load_certificate(FILETYPE_PEM, server_cert_pem)
++ )
++
++ # Do a little connection to trigger the logic
++ server = Connection(context, None)
++ server.set_accept_state()
++
++ client = Connection(Context(SSLv23_METHOD), None)
++ client.set_connect_state()
++ client.set_tlsext_host_name(b"foo1.example.com")
++
++ monkeypatch.setattr(sys, "excepthook", custom_excepthook)
++ with pytest.raises(Error):
++ interact_in_memory(server, client)
++
++ assert len(excepthook_calls) == 1
++ assert excepthook_calls[0][0] is TypeError
++ assert excepthook_calls[0][1] is exc
++ assert excepthook_calls[0][2] is not None
++
+
+ class TestApplicationLayerProtoNegotiation:
+ """
+--
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index 116f214bfa..bc0b568a46 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33
PYPI_PACKAGE = "pyOpenSSL"
inherit pypi setuptools3
+SRC_URI += " \
+ file://CVE-2026-27448.patch \
+"
+
PACKAGES =+ "${PN}-tests"
FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459
2026-03-25 7:23 [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri
@ 2026-03-25 7:23 ` Vijay Anusuri
2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
1 sibling, 0 replies; 4+ messages in thread
From: Vijay Anusuri @ 2026-03-25 7:23 UTC (permalink / raw)
To: openembedded-core; +Cc: Vijay Anusuri
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459
[2] https://ubuntu.com/security/CVE-2026-27459
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../python3-pyopenssl/CVE-2026-27459.patch | 109 ++++++++++++++++++
.../python/python3-pyopenssl_24.0.0.bb | 1 +
2 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
new file mode 100644
index 0000000000..f75540f96e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
@@ -0,0 +1,109 @@
+From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 18 Feb 2026 07:46:15 -0500
+Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback
+ (#1479)
+
+The cookie generate callback copied user-returned bytes into a
+fixed-size native buffer without enforcing a maximum length. A
+callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow
+the OpenSSL-provided buffer, corrupting adjacent memory.
+
+Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408]
+CVE: CVE-2026-27459
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst | 1 +
+ src/OpenSSL/SSL.py | 7 +++++++
+ tests/test_ssl.py | 38 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 12e60e4..6041fdc 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -16,6 +16,7 @@ Deprecations:
+ Changes:
+ ^^^^^^^^
+
++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow.
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+ `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
+ - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index a6263c4..2e4da78 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -691,11 +691,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper):
+ def __init__(self, callback):
+ _CallbackExceptionHelper.__init__(self)
+
++ max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255)
++
+ @wraps(callback)
+ def wrapper(ssl, out, outlen):
+ try:
+ conn = Connection._reverse_mapping[ssl]
+ cookie = callback(conn)
++ if len(cookie) > max_cookie_len:
++ raise ValueError(
++ f"Cookie too long (got {len(cookie)} bytes, "
++ f"max {max_cookie_len})"
++ )
+ out[0 : len(cookie)] = cookie
+ outlen[0] = len(cookie)
+ return 1
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 55489b9..683e368 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -4560,6 +4560,44 @@ class TestDTLS:
+ def test_it_works_with_srtp(self):
+ self._test_handshake_and_data(srtp_profile=b"SRTP_AES128_CM_SHA1_80")
+
++ def test_cookie_generate_too_long(self) -> None:
++ s_ctx = Context(DTLS_METHOD)
++
++ def generate_cookie(ssl: Connection) -> bytes:
++ return b"\x00" * 256
++
++ def verify_cookie(ssl: Connection, cookie: bytes) -> bool:
++ return True
++
++ s_ctx.set_cookie_generate_callback(generate_cookie)
++ s_ctx.set_cookie_verify_callback(verify_cookie)
++ s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++ s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
++ s_ctx.set_options(OP_NO_QUERY_MTU)
++ s = Connection(s_ctx)
++ s.set_accept_state()
++
++ c_ctx = Context(DTLS_METHOD)
++ c_ctx.set_options(OP_NO_QUERY_MTU)
++ c = Connection(c_ctx)
++ c.set_connect_state()
++
++ c.set_ciphertext_mtu(1500)
++ s.set_ciphertext_mtu(1500)
++
++ # Client sends ClientHello
++ try:
++ c.do_handshake()
++ except SSL.WantReadError:
++ pass
++ chunk = c.bio_read(self.LARGE_BUFFER)
++ s.bio_write(chunk)
++
++ # Server tries DTLSv1_listen, which triggers cookie generation.
++ # The oversized cookie should raise ValueError.
++ with pytest.raises(ValueError, match="Cookie too long"):
++ s.DTLSv1_listen()
++
+ def test_timeout(self, monkeypatch):
+ c_ctx = Context(DTLS_METHOD)
+ c = Connection(c_ctx)
+--
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index bc0b568a46..94a70aa17d 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -12,6 +12,7 @@ inherit pypi setuptools3
SRC_URI += " \
file://CVE-2026-27448.patch \
+ file://CVE-2026-27459.patch \
"
PACKAGES =+ "${PN}-tests"
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448
2026-03-25 7:23 [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri
2026-03-25 7:23 ` [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 Vijay Anusuri
@ 2026-03-27 23:22 ` Yoann Congal
2026-03-28 2:11 ` Vijay Anusuri
1 sibling, 1 reply; 4+ messages in thread
From: Yoann Congal @ 2026-03-27 23:22 UTC (permalink / raw)
To: vanusuri, openembedded-core
On Wed Mar 25, 2026 at 8:23 AM CET, Vijay Anusuri via lists.openembedded.org wrote:
> Pick patch mentioned in NVD
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
> [2] https://ubuntu.com/security/CVE-2026-27448
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
Hello,
As far as I can tell, this CVE also applies to whinlatter. You need to
send the fix there before I can take it for scarthgap and kirkstone.
That also applies to the 2/2 patch.
Regards,
> .../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++
> .../python/python3-pyopenssl_24.0.0.bb | 4 +
> 2 files changed, 128 insertions(+)
> create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
>
> diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> new file mode 100644
> index 0000000000..87f46b4cb0
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> @@ -0,0 +1,124 @@
> +From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
> +From: Alex Gaynor <alex.gaynor@gmail.com>
> +Date: Mon, 16 Feb 2026 21:04:37 -0500
> +Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
> + (#1478)
> +
> +When the servername callback raises an exception, call sys.excepthook
> +with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
> +the handshake. Previously, exceptions would propagate uncaught through
> +the CFFI callback boundary.
> +
> +https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
> +
> +Co-authored-by: Claude <noreply@anthropic.com>
> +
> +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
> +CVE: CVE-2026-27448
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + CHANGELOG.rst | 1 +
> + src/OpenSSL/SSL.py | 7 ++++++-
> + tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++
> + 3 files changed, 57 insertions(+), 1 deletion(-)
> +
> +diff --git a/CHANGELOG.rst b/CHANGELOG.rst
> +index 6e23770..12e60e4 100644
> +--- a/CHANGELOG.rst
> ++++ b/CHANGELOG.rst
> +@@ -18,6 +18,7 @@ Changes:
> +
> + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
> + `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
> ++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
> +
> + 23.3.0 (2023-10-25)
> + -------------------
> +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
> +index 4db5240..a6263c4 100644
> +--- a/src/OpenSSL/SSL.py
> ++++ b/src/OpenSSL/SSL.py
> +@@ -1,5 +1,6 @@
> + import os
> + import socket
> ++import sys
> + import typing
> + from errno import errorcode
> + from functools import partial, wraps
> +@@ -1567,7 +1568,11 @@ class Context:
> +
> + @wraps(callback)
> + def wrapper(ssl, alert, arg):
> +- callback(Connection._reverse_mapping[ssl])
> ++ try:
> ++ callback(Connection._reverse_mapping[ssl])
> ++ except Exception:
> ++ sys.excepthook(*sys.exc_info())
> ++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
> + return 0
> +
> + self._tlsext_servername_callback = _ffi.callback(
> +diff --git a/tests/test_ssl.py b/tests/test_ssl.py
> +index ca5bf83..55489b9 100644
> +--- a/tests/test_ssl.py
> ++++ b/tests/test_ssl.py
> +@@ -1855,6 +1855,56 @@ class TestServerNameCallback:
> +
> + assert args == [(server, b"foo1.example.com")]
> +
> ++ def test_servername_callback_exception(
> ++ self, monkeypatch: pytest.MonkeyPatch
> ++ ) -> None:
> ++ """
> ++ When the callback passed to `Context.set_tlsext_servername_callback`
> ++ raises an exception, ``sys.excepthook`` is called with the exception
> ++ and the handshake fails with an ``Error``.
> ++ """
> ++ exc = TypeError("server name callback failed")
> ++
> ++ def servername(conn: Connection) -> None:
> ++ raise exc
> ++
> ++ excepthook_calls: list[
> ++ tuple[type[BaseException], BaseException, object]
> ++ ] = []
> ++
> ++ def custom_excepthook(
> ++ exc_type: type[BaseException],
> ++ exc_value: BaseException,
> ++ exc_tb: object,
> ++ ) -> None:
> ++ excepthook_calls.append((exc_type, exc_value, exc_tb))
> ++
> ++ context = Context(SSLv23_METHOD)
> ++ context.set_tlsext_servername_callback(servername)
> ++
> ++ # Necessary to actually accept the connection
> ++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
> ++ context.use_certificate(
> ++ load_certificate(FILETYPE_PEM, server_cert_pem)
> ++ )
> ++
> ++ # Do a little connection to trigger the logic
> ++ server = Connection(context, None)
> ++ server.set_accept_state()
> ++
> ++ client = Connection(Context(SSLv23_METHOD), None)
> ++ client.set_connect_state()
> ++ client.set_tlsext_host_name(b"foo1.example.com")
> ++
> ++ monkeypatch.setattr(sys, "excepthook", custom_excepthook)
> ++ with pytest.raises(Error):
> ++ interact_in_memory(server, client)
> ++
> ++ assert len(excepthook_calls) == 1
> ++ assert excepthook_calls[0][0] is TypeError
> ++ assert excepthook_calls[0][1] is exc
> ++ assert excepthook_calls[0][2] is not None
> ++
> +
> + class TestApplicationLayerProtoNegotiation:
> + """
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> index 116f214bfa..bc0b568a46 100644
> --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> @@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33
> PYPI_PACKAGE = "pyOpenSSL"
> inherit pypi setuptools3
>
> +SRC_URI += " \
> + file://CVE-2026-27448.patch \
> +"
> +
> PACKAGES =+ "${PN}-tests"
> FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
>
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448
2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
@ 2026-03-28 2:11 ` Vijay Anusuri
0 siblings, 0 replies; 4+ messages in thread
From: Vijay Anusuri @ 2026-03-28 2:11 UTC (permalink / raw)
To: Yoann Congal; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 7372 bytes --]
Hi Yoann,
As kirkstone LTS going to end this month, I've sent patches for both
kirkstone and scarthgap first.
I will send patches for whinlatter soon.
Thanks for reminding me.
Thanks & Regards,
Vijay
On Sat, 28 Mar, 2026, 4:53 am Yoann Congal, <yoann.congal@smile.fr> wrote:
> On Wed Mar 25, 2026 at 8:23 AM CET, Vijay Anusuri via
> lists.openembedded.org wrote:
> > Pick patch mentioned in NVD
> >
> > [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
> > [2] https://ubuntu.com/security/CVE-2026-27448
> >
> > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > ---
>
> Hello,
>
> As far as I can tell, this CVE also applies to whinlatter. You need to
> send the fix there before I can take it for scarthgap and kirkstone.
>
> That also applies to the 2/2 patch.
>
> Regards,
>
>
> > .../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++
> > .../python/python3-pyopenssl_24.0.0.bb | 4 +
> > 2 files changed, 128 insertions(+)
> > create mode 100644
> meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> >
> > diff --git
> a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> > new file mode 100644
> > index 0000000000..87f46b4cb0
> > --- /dev/null
> > +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> > @@ -0,0 +1,124 @@
> > +From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
> > +From: Alex Gaynor <alex.gaynor@gmail.com>
> > +Date: Mon, 16 Feb 2026 21:04:37 -0500
> > +Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback
> callbacks
> > + (#1478)
> > +
> > +When the servername callback raises an exception, call sys.excepthook
> > +with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
> > +the handshake. Previously, exceptions would propagate uncaught through
> > +the CFFI callback boundary.
> > +
> > +https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
> > +
> > +Co-authored-by: Claude <noreply@anthropic.com>
> > +
> > +Upstream-Status: Backport [
> https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0
> ]
> > +CVE: CVE-2026-27448
> > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > +---
> > + CHANGELOG.rst | 1 +
> > + src/OpenSSL/SSL.py | 7 ++++++-
> > + tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++
> > + 3 files changed, 57 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/CHANGELOG.rst b/CHANGELOG.rst
> > +index 6e23770..12e60e4 100644
> > +--- a/CHANGELOG.rst
> > ++++ b/CHANGELOG.rst
> > +@@ -18,6 +18,7 @@ Changes:
> > +
> > + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to
> determine which SRTP profile was negotiated.
> > + `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
> > ++- ``Context.set_tlsext_servername_callback`` now handles exceptions
> raised in the callback by calling ``sys.excepthook`` and returning a fatal
> TLS alert. Previously, exceptions were silently swallowed and the handshake
> would proceed as if the callback had succeeded.
> > +
> > + 23.3.0 (2023-10-25)
> > + -------------------
> > +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
> > +index 4db5240..a6263c4 100644
> > +--- a/src/OpenSSL/SSL.py
> > ++++ b/src/OpenSSL/SSL.py
> > +@@ -1,5 +1,6 @@
> > + import os
> > + import socket
> > ++import sys
> > + import typing
> > + from errno import errorcode
> > + from functools import partial, wraps
> > +@@ -1567,7 +1568,11 @@ class Context:
> > +
> > + @wraps(callback)
> > + def wrapper(ssl, alert, arg):
> > +- callback(Connection._reverse_mapping[ssl])
> > ++ try:
> > ++ callback(Connection._reverse_mapping[ssl])
> > ++ except Exception:
> > ++ sys.excepthook(*sys.exc_info())
> > ++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
> > + return 0
> > +
> > + self._tlsext_servername_callback = _ffi.callback(
> > +diff --git a/tests/test_ssl.py b/tests/test_ssl.py
> > +index ca5bf83..55489b9 100644
> > +--- a/tests/test_ssl.py
> > ++++ b/tests/test_ssl.py
> > +@@ -1855,6 +1855,56 @@ class TestServerNameCallback:
> > +
> > + assert args == [(server, b"foo1.example.com")]
> > +
> > ++ def test_servername_callback_exception(
> > ++ self, monkeypatch: pytest.MonkeyPatch
> > ++ ) -> None:
> > ++ """
> > ++ When the callback passed to
> `Context.set_tlsext_servername_callback`
> > ++ raises an exception, ``sys.excepthook`` is called with the
> exception
> > ++ and the handshake fails with an ``Error``.
> > ++ """
> > ++ exc = TypeError("server name callback failed")
> > ++
> > ++ def servername(conn: Connection) -> None:
> > ++ raise exc
> > ++
> > ++ excepthook_calls: list[
> > ++ tuple[type[BaseException], BaseException, object]
> > ++ ] = []
> > ++
> > ++ def custom_excepthook(
> > ++ exc_type: type[BaseException],
> > ++ exc_value: BaseException,
> > ++ exc_tb: object,
> > ++ ) -> None:
> > ++ excepthook_calls.append((exc_type, exc_value, exc_tb))
> > ++
> > ++ context = Context(SSLv23_METHOD)
> > ++ context.set_tlsext_servername_callback(servername)
> > ++
> > ++ # Necessary to actually accept the connection
> > ++ context.use_privatekey(load_privatekey(FILETYPE_PEM,
> server_key_pem))
> > ++ context.use_certificate(
> > ++ load_certificate(FILETYPE_PEM, server_cert_pem)
> > ++ )
> > ++
> > ++ # Do a little connection to trigger the logic
> > ++ server = Connection(context, None)
> > ++ server.set_accept_state()
> > ++
> > ++ client = Connection(Context(SSLv23_METHOD), None)
> > ++ client.set_connect_state()
> > ++ client.set_tlsext_host_name(b"foo1.example.com")
> > ++
> > ++ monkeypatch.setattr(sys, "excepthook", custom_excepthook)
> > ++ with pytest.raises(Error):
> > ++ interact_in_memory(server, client)
> > ++
> > ++ assert len(excepthook_calls) == 1
> > ++ assert excepthook_calls[0][0] is TypeError
> > ++ assert excepthook_calls[0][1] is exc
> > ++ assert excepthook_calls[0][2] is not None
> > ++
> > +
> > + class TestApplicationLayerProtoNegotiation:
> > + """
> > +--
> > +2.43.0
> > +
> > diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> > index 116f214bfa..bc0b568a46 100644
> > --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> > +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
> > @@ -10,6 +10,10 @@ SRC_URI[sha256sum] =
> "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33
> > PYPI_PACKAGE = "pyOpenSSL"
> > inherit pypi setuptools3
> >
> > +SRC_URI += " \
> > + file://CVE-2026-27448.patch \
> > +"
> > +
> > PACKAGES =+ "${PN}-tests"
> > FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
> >
>
>
> --
> Yoann Congal
> Smile ECS
>
>
[-- Attachment #2: Type: text/html, Size: 10671 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-28 2:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-25 7:23 [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri
2026-03-25 7:23 ` [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 Vijay Anusuri
2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
2026-03-28 2:11 ` Vijay Anusuri
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox