new file mode 100644
@@ -0,0 +1,125 @@
+From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 16 Feb 2026 21:04:37 -0500
+Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
+ (#1478)
+
+When the servername callback raises an exception, call sys.excepthook
+with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
+the handshake. Previously, exceptions would propagate uncaught through
+the CFFI callback boundary.
+
+https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
+
+Co-authored-by: Claude <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
+CVE: CVE-2026-27448
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst | 1 +
+ src/OpenSSL/SSL.py | 7 ++++++-
+ tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index d98901f..5d953c9 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -37,6 +37,7 @@ Changes:
+
+ - Corrected type annotations on ``Context.set_alpn_select_callback``, ``Context.set_session_cache_mode``, ``Context.set_options``, ``Context.set_mode``, ``X509.subject_name_hash``, and ``X509Store.load_locations``.
+ - Deprecated APIs are now marked using ``warnings.deprecated``. ``mypy`` will emit deprecation notices for them when used with ``--enable-error-code deprecated``.
++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+
+ 24.3.0 (2024-11-27)
+ -------------------
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index ca8913c..178961f 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -2,6 +2,7 @@ from __future__ import annotations
+
+ import os
+ import socket
++import sys
+ import typing
+ import warnings
+ from collections.abc import Sequence
+@@ -1729,7 +1730,11 @@ class Context:
+
+ @wraps(callback)
+ def wrapper(ssl, alert, arg): # type: ignore[no-untyped-def]
+- callback(Connection._reverse_mapping[ssl])
++ try:
++ callback(Connection._reverse_mapping[ssl])
++ except Exception:
++ sys.excepthook(*sys.exc_info())
++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
+ return 0
+
+ self._tlsext_servername_callback = _ffi.callback(
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index bcad6d9..9a5b19b 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1929,6 +1929,56 @@ class TestServerNameCallback:
+
+ assert args == [(server, b"foo1.example.com")]
+
++ def test_servername_callback_exception(
++ self, monkeypatch: pytest.MonkeyPatch
++ ) -> None:
++ """
++ When the callback passed to `Context.set_tlsext_servername_callback`
++ raises an exception, ``sys.excepthook`` is called with the exception
++ and the handshake fails with an ``Error``.
++ """
++ exc = TypeError("server name callback failed")
++
++ def servername(conn: Connection) -> None:
++ raise exc
++
++ excepthook_calls: list[
++ tuple[type[BaseException], BaseException, object]
++ ] = []
++
++ def custom_excepthook(
++ exc_type: type[BaseException],
++ exc_value: BaseException,
++ exc_tb: object,
++ ) -> None:
++ excepthook_calls.append((exc_type, exc_value, exc_tb))
++
++ context = Context(SSLv23_METHOD)
++ context.set_tlsext_servername_callback(servername)
++
++ # Necessary to actually accept the connection
++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++ context.use_certificate(
++ load_certificate(FILETYPE_PEM, server_cert_pem)
++ )
++
++ # Do a little connection to trigger the logic
++ server = Connection(context, None)
++ server.set_accept_state()
++
++ client = Connection(Context(SSLv23_METHOD), None)
++ client.set_connect_state()
++ client.set_tlsext_host_name(b"foo1.example.com")
++
++ monkeypatch.setattr(sys, "excepthook", custom_excepthook)
++ with pytest.raises(Error):
++ interact_in_memory(server, client)
++
++ assert len(excepthook_calls) == 1
++ assert excepthook_calls[0][0] is TypeError
++ assert excepthook_calls[0][1] is exc
++ assert excepthook_calls[0][2] is not None
++
+
+ class TestApplicationLayerProtoNegotiation:
+ """
+--
+2.43.0
+
@@ -9,6 +9,10 @@ SRC_URI[sha256sum] = "8d031884482e0c67ee92bf9a4d8cceb08d92aba7136432ffb0703c5280
inherit pypi setuptools3
+SRC_URI += " \
+ file://CVE-2026-27448.patch \
+"
+
PACKAGES =+ "${PN}-tests"
FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 [2] https://ubuntu.com/security/CVE-2026-27448 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> --- .../python3-pyopenssl/CVE-2026-27448.patch | 125 ++++++++++++++++++ .../python/python3-pyopenssl_25.1.0.bb | 4 + 2 files changed, 129 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch