python · aiohttpHeads-up
aiohttp: TLS SNI check bypass when reusing connection with different server_hostname
A vulnerability in aiohttp allows bypass of the TLS SNI check when reusing an existing connection with different per-request server_hostname parameters.
What changed
A vulnerability in aiohttp allows bypass of the TLS SNI check when reusing an existing connection with different per-request server_hostname parameters.
Who it affects
Applications using aiohttp that make multiple requests to the same domain with different server_hostname values.
What to do today
Apply the patch from commit 0ca2b6c28a25726527a8b60f25960262a91ed0e0 or disable keep_alive if changing server_hostname between requests.
The trail
Collected→
Audited→
Written→
Published