[3.4] Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… by vstinner · Pull Request #224 · python/cpython (original) (raw)

Updated URL:
http://python-security.readthedocs.io/vulnerabilities.html#cve-2016-2183-sweet32-attack-des-3des

@Haypo, This change is already in 3.6 and 3.5 already, correct?

Right.

So the only issue is 3.4?

Yes. In branches still accepting security fixes, it seems like only 3.4 remains vulnerable:
http://python-security.readthedocs.io/ssl.html#cipher-suite

If so, you need a review from @larryhastings, not me! And, in general, if there is a release blocker issue, you need to flag it as such on the bug tracker, not here.

I created this PR 16 days ago, and Larry didn't reply yet. IMHO it's an important security vulnerability, so I would prefer to merge this fix quickly. Then the question will be when a new 3.4 version can be released with the security fix :-/

About the bug tracker: the Priority field has no version, "release blocker" is not specific to the 3.4 branch. I looked at http://bugs.python.org/issue27850 which is a single issue for all branches.