Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants

Bug #1808476 reported by Dimitri John Ledkov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python2.7 (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
Disco
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'

Prints 0, for python2.7 built against 1.1.0 headers, yet prints 536870912 when built against 1.1.1 irrespective of the runtime libssl1.1 library version.

This may yield confusion, especially since ssl.OPENSSL_VERSION reports runtime libssl version, not the version of the libssl headers. Such that, e.g. it looks like ssl module is running against 1.1.1, has OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.

Also vice versa, python2.7 build against 1.1.1 can be installed with 1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not understood by the runtime library.

In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.

python3.x are not affected, as they started to exploit 1.1.1-only symbols/features, and thus already have an automatic dep on >= 1.1.1.

[Test Case]

Make sure the libssl1.1 build-dependency of python2.7 is at least 1.1.1.

[Regression Potential]

Potentially none, besides the usual regression potential of new rebuilds.

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.16-2

---------------
python2.7 (2.7.16-2) unstable; urgency=high

  [ Matthias Klose ]
  * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
    normalize to separators. Closes: #924073.
  * CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
    (file://).

  [ Dimitri John Ledkov ]
  * Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
    1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
    shouldn't mix and match python2.7 & libssl1.1. LP: #1808476

 -- Matthias Klose <email address hidden> Sat, 06 Apr 2019 03:42:57 +0200

Changed in python2.7 (Ubuntu Disco):
status: New → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted python2.7 into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python2.7/2.7.16-2~18.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Changed in python2.7 (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.16-2~18.10

---------------
python2.7 (2.7.16-2~18.10) cosmic-proposed; urgency=medium

  * SRU: LP: #1822993.

python2.7 (2.7.16-2) unstable; urgency=high

  [ Matthias Klose ]
  * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
    normalize to separators. Closes: #924073.
  * CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
    (file://).

  [ Dimitri John Ledkov ]
  * Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
    1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
    shouldn't mix and match python2.7 & libssl1.1. LP: #1808476

python2.7 (2.7.16-1) unstable; urgency=medium

  * Python 2.7.16 release.
    - Now has a version without a trailing '+'. Closes: #914072.

python2.7 (2.7.16~rc1-1) unstable; urgency=medium

  * Python 2.7.16 release candidate 1.

python2.7 (2.7.15-9) unstable; urgency=medium

  * Update to 20190216 from the 2.7 branch.
    - Backport of TLS 1.3 related fixes from 3.7.
  * Drop the local TLS 1.3 backports.

python2.7 (2.7.15-8) unstable; urgency=medium

  * Fix typo in autopkg test.

python2.7 (2.7.15-7) unstable; urgency=medium

  * Expect the test_site test failing as in 3.7.

python2.7 (2.7.15-6) unstable; urgency=medium

  * Update to 20190201 from the 2.7 branch.
    - CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
    - CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
      Closes: #921039.
    - CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
      Closes: #921040.
  * Bump standards version.
  * Update symbols file.

python2.7 (2.7.15-5) unstable; urgency=medium

  * Update to 20181127 from the 2.7 branch.
    - Fix issue #20744, running an external 'zip' in shutil.make_archive().
      CVE-2018-1000802. Closes: #909673.
  * Cherrypick in-progress backports to 2.7 branch from 3.6 branch to fix
    test_ssl assertions with openssl 1.1.1. Resolves autopkgtest failure
    of the 2.7 with openssl 1.1.1 (Dimitri John Ledkov).
  * Don't hard code location of netinet/in.h. Closes: #912422.
  * Update VCS attributes.

 -- Matthias Klose <email address hidden> Tue, 09 Apr 2019 06:50:39 +0200

Changed in python2.7 (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson)
tags: removed: verification-needed verification-needed-cosmic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Dimitri, or anyone else affected,

Accepted python2.7 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python2.7/2.7.17-1~18.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in python2.7 (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (python2.7/2.7.17-1~18.04)

All autopkgtests for the newly accepted python2.7 (2.7.17-1~18.04) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

pdal/unknown (armhf)
mercurial/4.5.3-1ubuntu2.1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#python2.7

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.17-1~18.04

---------------
python2.7 (2.7.17-1~18.04) bionic-proposed; urgency=medium

  * SRU: LP: #1855133.
  * Backport Python 2.7.17 to 18.04 LTS.
  * Don't run the test_ttk_guionly test, hangs on the buildds.

python2.7 (2.7.17-1) unstable; urgency=medium

  * Python 2.7.17 release.

python2.7 (2.7.17~rc1-1) unstable; urgency=medium

  * Python 2.7.17 release candidate 1.
    - CVE-2019-16056, don't parse domains containing @. Closes: #940901.
  * Bump standards version.

python2.7 (2.7.16-4) unstable; urgency=medium

  * Update to 20190904 from the 2.7 branch.
  * Refresh patches.
  * Drop build dependency on python:any. Addresses: #937569.
  * Annotate Build-Depends: xvfb and xauth with <!nocheck>. Closes: #928514.

python2.7 (2.7.16-3) unstable; urgency=medium

  * Update to 20190708 from the 2.7 branch.
  * Bump standards version.

python2.7 (2.7.16-2) unstable; urgency=high

  [ Matthias Klose ]
  * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
    normalize to separators. Closes: #924073.
  * CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
    (file://).

  [ Dimitri John Ledkov ]
  * Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
    1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
    shouldn't mix and match python2.7 & libssl1.1. LP: #1808476

python2.7 (2.7.16-1) unstable; urgency=medium

  * Python 2.7.16 release.
    - Now has a version without a trailing '+'. Closes: #914072.

python2.7 (2.7.16~rc1-1) unstable; urgency=medium

  * Python 2.7.16 release candidate 1.

python2.7 (2.7.15-9) unstable; urgency=medium

  * Update to 20190216 from the 2.7 branch.
    - Backport of TLS 1.3 related fixes from 3.7.
  * Drop the local TLS 1.3 backports.

python2.7 (2.7.15-8) unstable; urgency=medium

  * Fix typo in autopkg test.

python2.7 (2.7.15-7) unstable; urgency=medium

  * Expect the test_site test failing as in 3.7.

python2.7 (2.7.15-6) unstable; urgency=medium

  * Update to 20190201 from the 2.7 branch.
    - CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
    - CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
      Closes: #921039.
    - CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
      Closes: #921040.
  * Bump standards version.
  * Update symbols file.

python2.7 (2.7.15-5) unstable; urgency=medium

  * Update to 20181127 from the 2.7 branch.
    - Fix issue #20744, running an external 'zip' in shutil.make_archive().
      CVE-2018-1000802. Closes: #909673.
  * Cherrypick in-progress backports to 2.7 branch from 3.6 branch to fix
    test_ssl assertions with openssl 1.1.1. Resolves autopkgtest failure
    of the 2.7 with openssl 1.1.1 (Dimitri John Ledkov).
  * Don't hard code location of netinet/in.h. Closes: #912422.
  * Update VCS attributes.

 -- Matthias Klose <email address hidden> Thu, 07 Nov 2019 11:07:09 +0100

Changed in python2.7 (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.