Ubuntu
python2.7 package

FIPS OpenSSL crashes Python2.7 hashlib when using MD5

  1. Groovy (20.10)
  2. Bug #1898078
Bug #1898078 reported by Joy Latten
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python2.7 (Ubuntu)
New
Undecided
Unassigned
Xenial
New
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
New
Undecided
Unassigned
Groovy
Won't Fix
Undecided
Unassigned

Bug Description

LP #1835135 was fixed in python2.7. However, when python2.7 was updated to current verion, the fix was not included. It needs to be included again into current version of python2.7 to prevent FIPS issues when using fips openssl with python's hashlib. This is only a problem in latest python2.7 versions in xenial, bionic, focal, and groovy. python3 versions do not have this problem in these releases.

The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

See original description

CVE References

Joy Latten (j-latten)
description: updated
description: updated
Revision history for this message
Joy Latten (j-latten) wrote :

This has been fixed in bionic. Already fixed in xenial.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.7 - 2.7.17-1~18.04ubuntu1.2

---------------
python2.7 (2.7.17-1~18.04ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: CRLF injection
    - debian/patches/CVE-2020-26116.patch: prevent header injection
      in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
    - CVE-2020-26116
  * debian/patches/issue9146.patch: re-adding fix FIPS mode environments where MD5
    isn't available in Modules/_hashopenssl.c. (LP: #1898078)

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 30 Sep 2020 10:38:04 -0300

Changed in python2.7 (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release

Changed in python2.7 (Ubuntu Groovy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.