Your message dated Thu, 05 Nov 2015 03:17:26 +0100
with message-id <2949418.CT9bXsLBMs@mornie>
and subject line closing 766296
has caused the Debian Bug report #766296,
regarding python-urllib3: shouldn't it depend on python-ndg-httpsclient,
python-openssl and python-pyasn1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
766296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766296
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-urllib3
Version: 1.9.1-2
Severity: important
Tags: security
Hi.
I've read that worrysome entry in the changelog.Debian:
> - Add python-ndg-httpsclient, python-openssl and python-pyasn1 into
> python-urllib3's Recomends to ensure that SNI works as expected and to
> prevent CRIME attack
So apparently you say, that without python-ndg-httpsclient, python-openssl
and python-pyasn1 python-urllib3 is vulnerable to at least CRIME, right?
But shouldn't it then Depend on all of those? Or is it guaranteed that
all code that might ever use python-urllib3, will check for these dependencies
whenever SSL/TLS is used, and therefore be on the safe side?.
I mean if e.g. openssl would dynamically load libssl and silently default to
using aNULL and eNULL ciphersuites only, when it's not present,... one would
probably also say "libssl is mandatory, since otherwise security isn't
guaranteed".
Cheers,
Chris
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-urllib3 depends on:
ii python-six 1.8.0-1
pn python:any <none>
Versions of packages python-urllib3 recommends:
ii ca-certificates 20141019
ii python-ndg-httpsclient 0.3.2-1
ii python-openssl 0.14-1
ii python-pyasn1 0.1.7-1
python-urllib3 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1.9.1-3
Hello,
I can confirm that the system Python has the necessary security features
backported, since 2.7.8-7 (and 221a1f9155e2, releasing in 2.7.9, upstream), so
this can be closed.
I'm indicating the version of urllib3 in Jessie to be more complete in this
note, but the problem was fixed in system Python.
Kind regards,
--
Daniele Tricoli 'eriol'
https://mornie.org
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
