FIPS OpenSSL crashes Python2.7 hashlib when using MD5

Bug #1898078 reported by Joy Latten on 2020-10-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python2.7 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned
Groovy
Undecided
Unassigned

Bug Description

LP #1835135 was fixed in python2.7. However, when python2.7 was updated to current verion, the fix was not included. It needs to be included again into current version of python2.7 to prevent FIPS issues when using fips openssl with python's hashlib. This is only a problem in latest python2.7 versions in xenial, bionic, focal, and groovy. python3 versions do not have this problem in these releases.

The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

CVE References

Joy Latten (j-latten) on 2020-10-01
description: updated
description: updated
Joy Latten (j-latten) wrote :

This has been fixed in bionic. Already fixed in xenial.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.17-1~18.04ubuntu1.2

---------------
python2.7 (2.7.17-1~18.04ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: CRLF injection
    - debian/patches/CVE-2020-26116.patch: prevent header injection
      in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
    - CVE-2020-26116
  * debian/patches/issue9146.patch: re-adding fix FIPS mode environments where MD5
    isn't available in Modules/_hashopenssl.c. (LP: #1898078)

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 30 Sep 2020 10:38:04 -0300

Changed in python2.7 (Ubuntu Bionic):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers