[Bug 1808476] [NEW] Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants
Dimitri John Ledkov
launchpad at surgut.co.uk
Fri Dec 14 06:40:20 UTC 2018
Public bug reported:
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints
536870912 when built against 1.1.1 irrespective of the runtime libssl1.1
library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports
runtime libssl version, not the version of the libssl headers. Such
that, e.g. it looks like ssl module is running against 1.1.1, has
OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with
1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not
understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1
(>= 1.1.1)" when building against libssl-dev >= 1.1.1.
python3.x are not affected, as they started to exploit 1.1.1-only
symbols/features, and thus already have an automatic dep on >= 1.1.1.
** Affects: python2.7 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints
536870912 when built against 1.1.1 irrespective of the runtime libssl1.1
library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports
runtime libssl version, not the version of the libssl headers. Such
that, e.g. it looks like ssl module is running against 1.1.1, has
OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with
1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is not
understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to "libssl1.1
(>= 1.1.1)" when building against libssl-dev >= 1.1.1.
+
+ python3.x are not affected, as they started to exploit 1.1.1-only
+ symbols/features, and thus already have an automatic dep on >= 1.1.1.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1808476
Title:
Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak
constants
Status in python2.7 package in Ubuntu:
New
Bug description:
$ python -c 'import ssl; print(ssl.OP_NO_TLSv1_3)'
Prints 0, for python2.7 built against 1.1.0 headers, yet prints
536870912 when built against 1.1.1 irrespective of the runtime
libssl1.1 library version.
This may yield confusion, especially since ssl.OPENSSL_VERSION reports
runtime libssl version, not the version of the libssl headers. Such
that, e.g. it looks like ssl module is running against 1.1.1, has
OP_NO_TLSv1_3 option, yet cannot actually use it to disable TLSv1.3.
Also vice versa, python2.7 build against 1.1.1 can be installed with
1.1.0 runtime library, and thus OP_NO_TLSv1_3 might be set, which is
not understood by the runtime library.
In libpython2.7-stdlib, please bump libssl1.1 version dep to
"libssl1.1 (>= 1.1.1)" when building against libssl-dev >= 1.1.1.
python3.x are not affected, as they started to exploit 1.1.1-only
symbols/features, and thus already have an automatic dep on >= 1.1.1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1808476/+subscriptions
More information about the foundations-bugs
mailing list