2018-12-14 06:40:20 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2018-12-14 06:44:09 |
Dimitri John Ledkov |
description |
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints 536870912 when built against 1.1.1 irrespective of the runtime libssl1.1 library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports runtime libssl version, not the version of the libssl headers. Such that, e.g. it looks like ssl module is running against 1.1.1, has OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with 1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1. |
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints 536870912 when built against 1.1.1 irrespective of the runtime libssl1.1 library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports runtime libssl version, not the version of the libssl headers. Such that, e.g. it looks like ssl module is running against 1.1.1, has OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with 1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.
python3.x are not affected, as they started to exploit 1.1.1-only symbols/features, and thus already have an automatic dep on >= 1.1.1. |
|
2019-04-05 00:03:20 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Disco |
|
2019-04-05 00:03:20 |
Dimitri John Ledkov |
bug task added |
|
python2.7 (Ubuntu Disco) |
|
2019-04-05 00:03:20 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Cosmic |
|
2019-04-05 00:03:20 |
Dimitri John Ledkov |
bug task added |
|
python2.7 (Ubuntu Cosmic) |
|
2019-04-05 00:03:20 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Bionic |
|
2019-04-05 00:03:20 |
Dimitri John Ledkov |
bug task added |
|
python2.7 (Ubuntu Bionic) |
|
2019-04-06 18:39:13 |
Launchpad Janitor |
python2.7 (Ubuntu Disco): status |
New |
Fix Released |
|
2019-04-06 18:39:13 |
Launchpad Janitor |
cve linked |
|
2019-9636 |
|
2019-04-06 18:39:13 |
Launchpad Janitor |
cve linked |
|
2019-9948 |
|
2019-04-11 20:03:02 |
Łukasz Zemczak |
description |
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints 536870912 when built against 1.1.1 irrespective of the runtime libssl1.1 library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports runtime libssl version, not the version of the libssl headers. Such that, e.g. it looks like ssl module is running against 1.1.1, has OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with 1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.
python3.x are not affected, as they started to exploit 1.1.1-only symbols/features, and thus already have an automatic dep on >= 1.1.1. |
[Impact]
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints 536870912 when built against 1.1.1 irrespective of the runtime libssl1.1 library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports runtime libssl version, not the version of the libssl headers. Such that, e.g. it looks like ssl module is running against 1.1.1, has OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with 1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.
python3.x are not affected, as they started to exploit 1.1.1-only symbols/features, and thus already have an automatic dep on >= 1.1.1.
[Test Case]
Make sure the libssl1.1 build-dependency of python2.7 is at least 1.1.1.
[Regression Potential]
Potentially none, besides the usual regression potential of new rebuilds. |
|
2019-04-11 20:06:06 |
Łukasz Zemczak |
python2.7 (Ubuntu Cosmic): status |
New |
Fix Committed |
|
2019-04-11 20:06:07 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-04-11 20:06:09 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2019-04-11 20:06:12 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-cosmic |
|
2019-04-29 16:47:55 |
Launchpad Janitor |
python2.7 (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-04-29 16:47:55 |
Launchpad Janitor |
cve linked |
|
2013-1752 |
|
2019-04-29 16:47:55 |
Launchpad Janitor |
cve linked |
|
2018-1000802 |
|
2019-04-29 16:47:55 |
Launchpad Janitor |
cve linked |
|
2018-14647 |
|
2019-04-29 16:47:55 |
Launchpad Janitor |
cve linked |
|
2019-5010 |
|
2019-12-05 03:40:53 |
Mathew Hodson |
tags |
verification-needed verification-needed-cosmic |
|
|
2019-12-05 21:19:35 |
Łukasz Zemczak |
python2.7 (Ubuntu Bionic): status |
New |
Fix Committed |
|
2019-12-05 21:19:39 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-bionic |
|
2019-12-16 13:25:48 |
Launchpad Janitor |
python2.7 (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-12-16 13:25:48 |
Launchpad Janitor |
cve linked |
|
2019-16056 |
|