[Bug 1808476] Re: Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants

Launchpad Bug Tracker 1808476 at bugs.launchpad.net
Mon Dec 16 13:25:48 UTC 2019 

This bug was fixed in the package python2.7 - 2.7.17-1~18.04

---------------
python2.7 (2.7.17-1~18.04) bionic-proposed; urgency=medium

  * SRU: LP: #1855133.
  * Backport Python 2.7.17 to 18.04 LTS.
  * Don't run the test_ttk_guionly test, hangs on the buildds.

python2.7 (2.7.17-1) unstable; urgency=medium

  * Python 2.7.17 release.

python2.7 (2.7.17~rc1-1) unstable; urgency=medium

  * Python 2.7.17 release candidate 1.
    - CVE-2019-16056, don't parse domains containing @. Closes: #940901.
  * Bump standards version.

python2.7 (2.7.16-4) unstable; urgency=medium

  * Update to 20190904 from the 2.7 branch.
  * Refresh patches.
  * Drop build dependency on python:any. Addresses: #937569.
  * Annotate Build-Depends: xvfb and xauth with <!nocheck>. Closes: #928514.

python2.7 (2.7.16-3) unstable; urgency=medium

  * Update to 20190708 from the 2.7 branch.
  * Bump standards version.

python2.7 (2.7.16-2) unstable; urgency=high

  [ Matthias Klose ]
  * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
    normalize to separators. Closes: #924073.
  * CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
    (file://).

  [ Dimitri John Ledkov ]
  * Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
    1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
    shouldn't mix and match python2.7 & libssl1.1. LP: #1808476

python2.7 (2.7.16-1) unstable; urgency=medium

  * Python 2.7.16 release.
    - Now has a version without a trailing '+'. Closes: #914072.

python2.7 (2.7.16~rc1-1) unstable; urgency=medium

  * Python 2.7.16 release candidate 1.

python2.7 (2.7.15-9) unstable; urgency=medium

  * Update to 20190216 from the 2.7 branch.
    - Backport of TLS 1.3 related fixes from 3.7.
  * Drop the local TLS 1.3 backports.

python2.7 (2.7.15-8) unstable; urgency=medium

  * Fix typo in autopkg test.

python2.7 (2.7.15-7) unstable; urgency=medium

  * Expect the test_site test failing as in 3.7.

python2.7 (2.7.15-6) unstable; urgency=medium

  * Update to 20190201 from the 2.7 branch.
    - CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
    - CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
      Closes: #921039.
    - CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
      Closes: #921040.
  * Bump standards version.
  * Update symbols file.

python2.7 (2.7.15-5) unstable; urgency=medium

  * Update to 20181127 from the 2.7 branch.
    - Fix issue #20744, running an external 'zip' in shutil.make_archive().
      CVE-2018-1000802. Closes: #909673.
  * Cherrypick in-progress backports to 2.7 branch from 3.6 branch to fix
    test_ssl assertions with openssl 1.1.1. Resolves autopkgtest failure
    of the 2.7 with openssl 1.1.1 (Dimitri John Ledkov).
  * Don't hard code location of netinet/in.h. Closes: #912422.
  * Update VCS attributes.

 -- Matthias Klose <doko at ubuntu.com>  Thu, 07 Nov 2019 11:07:09 +0100

** Changed in: python2.7 (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16056

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1808476

Title:
  Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak
  constants

Status in python2.7 package in Ubuntu:
  Fix Released
Status in python2.7 source package in Bionic:
  Fix Released
Status in python2.7 source package in Cosmic:
  Fix Released
Status in python2.7 source package in Disco:
  Fix Released

Bug description:
  [Impact]

  $ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'

  Prints 0, for python2.7 built against 1.1.0 headers, yet prints
  536870912 when built against 1.1.1 irrespective of the runtime
  libssl1.1 library version.

  This may yield confusion, especially since ssl.OPENSSL_VERSION reports
  runtime libssl version, not the version of the libssl headers. Such
  that, e.g. it looks like ssl module is running against 1.1.1, has
  OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.

  Also vice versa, python2.7 build against 1.1.1 can be installed with
  1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is
  not understood by the runtime library.

  In libpython2.7-stdlib, please bump libssl1.1 version dep to
  "libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.

  python3.x are not affected, as they started to exploit 1.1.1-only
  symbols/features, and thus already have an automatic dep on >= 1.1.1.

  [Test Case]

  Make sure the libssl1.1 build-dependency of python2.7 is at least
  1.1.1.

  [Regression Potential]

  Potentially none, besides the usual regression potential of new
  rebuilds.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1808476/+subscriptions

More information about the foundations-bugs mailing list