resolved
Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass
Bug reported by UV3DOBLE was disclosed at March 20, 2026, 4:10 pm |
A vulnerability was discovered in the `pyopenssl` library's handling of the Server Name Indication (SNI) callback (`set_tlsext_servername_callback`). The internal wrapper for this callback catches all Python exceptions raised by user code but returns `0` (Success/`SSL_TLSEXT_ERR_OK`) to the underlying OpenSSL engine. This behavior allowed a TLS connection to be successfully established even when the security validation logic inside the callback crashed or raised an exception, potentially bypassing critical access controls or authentication mechanisms implemented at the SNI layer.
resolved
[Privilege Escalation] User can Pin|Unpin Any Comment on Any Project or Locale
Bug reported by was disclosed at March 20, 2026, 11:00 am | Privilege Escalation
A vulnerability was discovered in the Pontoon application where any user could pin or unpin comments on any project or locale, despite lacking the necessary privileges. This was possible due to the lack of proper access controls in the backend code handling the pin and unpin functionality.