[Bug 1808476] Re: Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants

Launchpad Bug Tracker 1808476 at bugs.launchpad.net
Sat Apr 6 18:39:13 UTC 2019 

This bug was fixed in the package python2.7 - 2.7.16-2

---------------
python2.7 (2.7.16-2) unstable; urgency=high

  [ Matthias Klose ]
  * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
    normalize to separators. Closes: #924073.
  * CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
    (file://).

  [ Dimitri John Ledkov ]
  * Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
    1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
    shouldn't mix and match python2.7 & libssl1.1. LP: #1808476

 -- Matthias Klose <doko at debian.org>  Sat, 06 Apr 2019 03:42:57 +0200

** Changed in: python2.7 (Ubuntu Disco)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9636

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9948

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1808476

Title:
  Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak
  constants

Status in python2.7 package in Ubuntu:
  Fix Released
Status in python2.7 source package in Bionic:
  New
Status in python2.7 source package in Cosmic:
  New
Status in python2.7 source package in Disco:
  Fix Released

Bug description:
  $ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'

  Prints 0, for python2.7 built against 1.1.0 headers, yet prints
  536870912 when built against 1.1.1 irrespective of the runtime
  libssl1.1 library version.

  This may yield confusion, especially since ssl.OPENSSL_VERSION reports
  runtime libssl version, not the version of the libssl headers. Such
  that, e.g. it looks like ssl module is running against 1.1.1, has
  OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.

  Also vice versa, python2.7 build against 1.1.1 can be installed with
  1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is
  not understood by the runtime library.

  In libpython2.7-stdlib, please bump libssl1.1 version dep to
  "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.

  python3.x are not affected, as they started to exploit 1.1.1-only
  symbols/features, and thus already have an automatic dep on >= 1.1.1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1808476/+subscriptions

More information about the foundations-bugs mailing list