[Bug 1808476] Re: Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants

Ɓukasz Zemczak 1808476 at bugs.launchpad.net
Thu Dec 5 21:19:41 UTC 2019 

Hello Dimitri, or anyone else affected,

Accepted python2.7 into bionic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/python2.7/2.7.17-1~18.04 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: python2.7 (Ubuntu Bionic)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1808476

Title:
  Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak
  constants

Status in python2.7 package in Ubuntu:
  Fix Released
Status in python2.7 source package in Bionic:
  Fix Committed
Status in python2.7 source package in Cosmic:
  Fix Released
Status in python2.7 source package in Disco:
  Fix Released

Bug description:
  [Impact]

  $ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'

  Prints 0, for python2.7 built against 1.1.0 headers, yet prints
  536870912 when built against 1.1.1 irrespective of the runtime
  libssl1.1 library version.

  This may yield confusion, especially since ssl.OPENSSL_VERSION reports
  runtime libssl version, not the version of the libssl headers. Such
  that, e.g. it looks like ssl module is running against 1.1.1, has
  OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.

  Also vice versa, python2.7 build against 1.1.1 can be installed with
  1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is
  not understood by the runtime library.

  In libpython2.7-stdlib, please bump libssl1.1 version dep to
  "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.

  python3.x are not affected, as they started to exploit 1.1.1-only
  symbols/features, and thus already have an automatic dep on >= 1.1.1.

  [Test Case]

  Make sure the libssl1.1 build-dependency of python2.7 is at least
  1.1.1.

  [Regression Potential]

  Potentially none, besides the usual regression potential of new
  rebuilds.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1808476/+subscriptions

More information about the foundations-bugs mailing list