Bug#844366: marked as done (libssl1.1: 1.1.0c broke Python)

Mon, 21 Nov 2016 13:52:19 -0800 

Your message dated Mon, 21 Nov 2016 21:50:11 +0000
with message-id <[email protected]>
and subject line Bug#844234: fixed in openssl 1.1.0c-2
has caused the Debian Bug report #844234,
regarding libssl1.1: 1.1.0c broke Python
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
844234: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libssl1.1
Version: 1.1.0c-1
Severity: critical
Tags: upstream
Justification: breaks unrelated software

Hi,

update to 1.1.0c broke Python ssl wrapper. I have first faced the issue
with offlineimap, which would crash with the [Errno 0] Error and the
following stack-trace when trying to refresh OAuth2 token from google:

Traceback:
  File "/usr/share/offlineimap/offlineimap/accounts.py", line 271, in syncrunner
    self.__sync()
  File "/usr/share/offlineimap/offlineimap/accounts.py", line 334, in __sync
    remoterepos.getfolders()
  File "/usr/share/offlineimap/offlineimap/repository/IMAP.py", line 452, in 
getfolders
    imapobj = self.imapserver.acquireconnection()
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 540, in 
acquireconnection
    self.__authn_helper(imapobj)
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 406, in 
__authn_helper
    if func(imapobj):
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 340, in 
__authn_xoauth2
    imapobj.authenticate('XOAUTH2', self.__xoauth2handler)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 705, in authenticate
    typ, dat = self._simple_command('AUTHENTICATE', mechanism.upper())
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1692, in 
_simple_command
    return self._command_complete(self._command(name, *args), kw)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1418, in _command
    literal = literator(data, rqb)
  File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 2283, in process
    ret = self.mech(self.decode(data))
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 239, in 
__xoauth2handler
    six.reraise(type(e), type(e)(msg), exc_info()[2])
  File "/usr/share/offlineimap/offlineimap/imapserver.py", line 233, in 
__xoauth2handler
    self.oauth2_request_url, urllib.urlencode(params)).read()
  File "/usr/lib/python2.7/socket.py", line 355, in read
    data = self._sock.recv(rbufsize)
  File "/usr/lib/python2.7/ssl.py", line 766, in recv
    return self.read(buflen)
  File "/usr/lib/python2.7/ssl.py", line 653, in read
    v = self._sslobj.read(len)

These seem to be relevant upstream bugs:

  * https://github.com/openssl/openssl/issues/1919 (which was merged to 1903)
  * https://github.com/openssl/openssl/issues/1903

Downgrading to 1.1.0b (by installing libssl1.1_1.1.0b-2_amd64.deb from
snapshots) resolves the issue (and introduces back the vulnerability).

Best,

  Antonin

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libssl1.1 depends on:
ii  debconf [debconf-2.0]  1.5.59
ii  libc6                  2.24-5

libssl1.1 recommends no packages.

libssl1.1 suggests no packages.

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: openssl
Source-Version: 1.1.0c-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <[email protected]> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 21 Nov 2016 22:20:00 +0100
Source: openssl
Binary: openssl libssl1.1 libcrypto1.1-udeb libssl1.1-udeb libssl-dev 
libssl-doc libssl1.1-dbg
Architecture: source
Version: 1.1.0c-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Kurt Roeckx <[email protected]>
Description:
 libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.1  - Secure Sockets Layer toolkit - shared libraries
 libssl1.1-dbg - Secure Sockets Layer toolkit - debug information
 libssl1.1-udeb - ssl shared library - udeb (udeb)
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Closes: 844234 844715
Changes:
 openssl (1.1.0c-2) unstable; urgency=medium
 .
   * Revert behaviour of SSL_read() and SSL_write(), and update documentation.
     (Closes: #844234)
   * Add missing -zdelete on x32 (Closes: #844715)
   * Add a Breaks on salt-common. Addresses #844706
Checksums-Sha1:
 7e26a7d98166e6c8d0d0d50ca2dc989942de14af 2552 openssl_1.1.0c-2.dsc
 5b0556f53c427e14e660151b56b82d40dba65967 55392 openssl_1.1.0c-2.debian.tar.xz
Checksums-Sha256:
 a6ca664b8443ad1ed01cc90a9c8d8af8a079efa471536ec971a1bf2f5b8253a0 2552 
openssl_1.1.0c-2.dsc
 c47b1d2df11b061243bf91ecd95130840ebe7e6a84a6bf1b063d1953e9fddda5 55392 
openssl_1.1.0c-2.debian.tar.xz
Files:
 5a5f07499eb6dda464b325bda91f6a89 2552 utils optional openssl_1.1.0c-2.dsc
 60826b6aa69cd73a00c810f29a37bfe8 55392 utils optional 
openssl_1.1.0c-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYM2qCAAoJEOPE3c0eTBJEMpgP/itd/WDBSUqFLrjcYNXqwxNy
5eOhMC3o3Qmr63/vWjTM/vC284IgpHW3rfv5fJ1oZ8t07DtDdbVeqP3MzsZGsVcM
1vkqfQaeQsrO7fgoh4oZWmOOEiA48QaalupMHd3OxwW1Ld6B/TXrf5iAU4UlIemP
FsA2uoBGa7faRy05XvZMC5wJGVqzxcdoXxmDwUnyj4km6V5TFDuObfFzVEtBDUop
kWdTX7UfjNfgw5yKtnpNNdyQBhVT/TNYeJ1QBFksq7ZPhqaIhj60Z6swSEqSAt2x
smG2Xpr/hD1MnhoEbcZrTDj+FpDhXKFJd1oe1MxH+OnciQZEqJGI9Xjda+MNkljV
4LWjVwztkkDKQg8YUhXQHP8mz0BfdTJ0bGIXNNj2DQWK8F1SMyvxguNlduFz7zfP
P9bcUv7jBQQtzBMlIwSG73q/gQpAwG1hBPVIwPAr2m+4lf5Avi7IUuXdaYEaZP3V
sWF/hT14r/C8oNBxC5P29f3p20voVMFAgSKNRMdX6h2a7Z5QySLIeGD0gFE1MH2l
BUCXVzM78yJqyR252xg8GlzQlOHnMgYouurrrqnIC0Y5DvbPxgrBGVCoH5EhAoIK
/zJGQT7hgz2pOBE2hauEbzGxjp5NuNF1Kzk1I+OkeUaDqEUMh9RyEQjsFtlmv+x9
u3Irt4pCy6pFJMRh+7t5
=3YDj
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to