[Bug 1808476] Re: Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants
Mathew Hodson
1808476 at bugs.launchpad.net
Thu Dec 5 03:40:53 UTC 2019
** Tags removed: verification-needed verification-needed-cosmic
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1808476
Title:
Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak
constants
Status in python2.7 package in Ubuntu:
Fix Released
Status in python2.7 source package in Bionic:
New
Status in python2.7 source package in Cosmic:
Fix Released
Status in python2.7 source package in Disco:
Fix Released
Bug description:
[Impact]
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints
536870912 when built against 1.1.1 irrespective of the runtime
libssl1.1 library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports
runtime libssl version, not the version of the libssl headers. Such
that, e.g. it looks like ssl module is running against 1.1.1, has
OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with
1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is
not understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to
"libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.
python3.x are not affected, as they started to exploit 1.1.1-only
symbols/features, and thus already have an automatic dep on >= 1.1.1.
[Test Case]
Make sure the libssl1.1 build-dependency of python2.7 is at least
1.1.1.
[Regression Potential]
Potentially none, besides the usual regression potential of new
rebuilds.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1808476/+subscriptions
More information about the foundations-bugs
mailing list