Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants

Bug #1808476 reported by Dimitri John Ledkov on 2018-12-14
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python2.7 (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned

Bug Description

[Impact]

$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'

Prints 0, for python2.7 built against 1.1.0 headers, yet prints 536870912 when built against 1.1.1 irrespective of the runtime libssl1.1 library version.

This may yield confusion, especially since ssl.OPENSSL_VERSION reports runtime libssl version, not the version of the libssl headers. Such that, e.g. it looks like ssl module is running against 1.1.1, has OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.

Also vice versa, python2.7 build against 1.1.1 can be installed with 1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not understood by the runtime library.

In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.

python3.x are not affected, as they started to exploit 1.1.1-only symbols/features, and thus already have an automatic dep on >= 1.1.1.

[Test Case]

Make sure the libssl1.1 build-dependency of python2.7 is at least 1.1.1.

[Regression Potential]

Potentially none, besides the usual regression potential of new rebuilds.

description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.16-2

---------------
python2.7 (2.7.16-2) unstable; urgency=high

  [ Matthias Klose ]
  * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
    normalize to separators. Closes: #924073.
  * CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
    (file://).

  [ Dimitri John Ledkov ]
  * Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
    1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
    shouldn't mix and match python2.7 & libssl1.1. LP: #1808476

 -- Matthias Klose <email address hidden> Sat, 06 Apr 2019 03:42:57 +0200

Changed in python2.7 (Ubuntu Disco):
status: New → Fix Released

Hello Dimitri, or anyone else affected,

Accepted python2.7 into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python2.7/2.7.16-2~18.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Changed in python2.7 (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.16-2~18.10

---------------
python2.7 (2.7.16-2~18.10) cosmic-proposed; urgency=medium

  * SRU: LP: #1822993.

python2.7 (2.7.16-2) unstable; urgency=high

  [ Matthias Klose ]
  * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
    normalize to separators. Closes: #924073.
  * CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
    (file://).

  [ Dimitri John Ledkov ]
  * Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
    1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
    shouldn't mix and match python2.7 & libssl1.1. LP: #1808476

python2.7 (2.7.16-1) unstable; urgency=medium

  * Python 2.7.16 release.
    - Now has a version without a trailing '+'. Closes: #914072.

python2.7 (2.7.16~rc1-1) unstable; urgency=medium

  * Python 2.7.16 release candidate 1.

python2.7 (2.7.15-9) unstable; urgency=medium

  * Update to 20190216 from the 2.7 branch.
    - Backport of TLS 1.3 related fixes from 3.7.
  * Drop the local TLS 1.3 backports.

python2.7 (2.7.15-8) unstable; urgency=medium

  * Fix typo in autopkg test.

python2.7 (2.7.15-7) unstable; urgency=medium

  * Expect the test_site test failing as in 3.7.

python2.7 (2.7.15-6) unstable; urgency=medium

  * Update to 20190201 from the 2.7 branch.
    - CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
    - CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
      Closes: #921039.
    - CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
      Closes: #921040.
  * Bump standards version.
  * Update symbols file.

python2.7 (2.7.15-5) unstable; urgency=medium

  * Update to 20181127 from the 2.7 branch.
    - Fix issue #20744, running an external 'zip' in shutil.make_archive().
      CVE-2018-1000802. Closes: #909673.
  * Cherrypick in-progress backports to 2.7 branch from 3.6 branch to fix
    test_ssl assertions with openssl 1.1.1. Resolves autopkgtest failure
    of the 2.7 with openssl 1.1.1 (Dimitri John Ledkov).
  * Don't hard code location of netinet/in.h. Closes: #912422.
  * Update VCS attributes.

 -- Matthias Klose <email address hidden> Tue, 09 Apr 2019 06:50:39 +0200

Changed in python2.7 (Ubuntu Cosmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers