[issue43382] github CI blocked by the Ubuntu CI with an SSL error
Dimitri John Ledkov added the comment: BTW. It would be advisable for Python3 to start enforcing security level 2, and prohibit DTLS v1.1 and lower by default too. By configuring openssl library on the host with setting security level, and/or setting min versions (if openssl on the host supports such api). Because allowing to use TLS v1.1 and lower out of the box is irresponsible. -- ___ Python tracker <https://bugs.python.org/issue43382> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue43382] github CI blocked by the Ubuntu CI with an SSL error
Dimitri John Ledkov added the comment: Ubuntu 20.04+ compile OpenSSL with default security level set to 2, and further customized security level 2 to prohibit TLS below v1.2 and DTLS below v1.2. You can export custom openssl configuration that sets security level back to 1, which is compatible across any openssl series. ``` export OPENSSL_CONF=`pwd`/openssl.cnf cat openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] CipherString = DEFAULT@SECLEVEL=1 ``` Or you can use native APIs to reset the security level to 1 in the test-suite. I.e. via the SSL_CTX_set_security_level api binding. This is documented behaviour in Ubuntu manpages of OpenSSL and on Ubuntu Discourse https://manpages.ubuntu.com/manpages/focal/en/man3/SSL_CTX_set_security_level.3ssl.html https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8 OpenSSL upstream for 3.0.0 series are refusing to bump minimum required protocol versions to prohibit out of the box old version of TLS and also don't have a standard way to disable this. Hence implementation is different in Debian, Ubuntu and Fedora. Debian's implementation is buggy with respect to DTLS and default openssl.cnf breaks 1.0.2x series libssl. And as far as I know Fedora implementation requires use of crypto-policies package which is quite advanced and not trivial to integrate in smaller environments. -- nosy: +xnox ___ Python tracker <https://bugs.python.org/issue43382> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue38708] parse_message_id in email module is very buggy / crashy
Dimitri John Ledkov added the comment: Yes, issue38698 covers the UnboundLocalError, but doesn't cover inside get_msg_id there is also this gem: def get_msg_id(value): msg_id = MsgID() if value[0] in CFWS_LEADER: It should test value before accessing value[0] like it is done in other places, ie.: if value and value[0] in CFWS_LEADER: or indent the whole block to iterate over value with: while value: ... which also tests that value has [0] index. I guess I want to repurpose this issue for the value[0] indexerror in get_msg_id(). -- ___ Python tracker <https://bugs.python.org/issue38708> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue38708] parse_message_id in email module is very buggy / crashy
New submission from Dimitri John Ledkov : email module has recently got parse_message_id which is more strict now, then before. However, it's not programmed as defensively as expected. Given bogus message-id, it crashes with unbound local variable, or like accessing a non-existing index. So hyperkitty had a Message-ID "X"*260 in the testsuite that used to pass with 3.7, but fails with 3.8. == ERROR: test_long_message_id (hyperkitty.tests.lib.test_incoming.TestAddToList) -- Traceback (most recent call last): File "./hyperkitty/tests/lib/test_incoming.py", line 295, in test_long_message_id msg["Message-ID"] = "X" * 260 File "/usr/lib/python3.8/email/message.py", line 409, in __setitem__ self._headers.append(self.policy.header_store_parse(name, val)) File "/usr/lib/python3.8/email/policy.py", line 148, in header_store_parse return (name, self.header_factory(name, value)) File "/usr/lib/python3.8/email/headerregistry.py", line 602, in __call__ return self[name](name, value) File "/usr/lib/python3.8/email/headerregistry.py", line 197, in __new__ cls.parse(value, kwds) File "/usr/lib/python3.8/email/headerregistry.py", line 530, in parse kwds['parse_tree'] = parse_tree = cls.value_parser(value) File "/usr/lib/python3.8/email/_header_value_parser.py", line 2116, in parse_message_id message_id.append(token) UnboundLocalError: local variable 'token' referenced before assignment Similarly another user, surkova reports that value[0] in get_msg_id function is buggy too (doesn't check that value has a member) First reported https://github.com/python/cpython/pull/13397#discussion_r341968031 Ideally, I'd like the function to raise a documented Exception for invalid Message-id, but not fail with what look like regular programming bugs in the email module. Expectation is that email module is either more permissive or is coded more defence-in-depth with more checking in place. -- messages: 356072 nosy: xnox priority: normal severity: normal status: open title: parse_message_id in email module is very buggy / crashy versions: Python 3.8, Python 3.9 ___ Python tracker <https://bugs.python.org/issue38708> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34836] test_ssl.test_default_ecdh_curve needs no tls1.3 flag in 2.7, for now
Change by Dimitri John Ledkov : -- keywords: +patch pull_requests: +9024 stage: -> patch review ___ Python tracker <https://bugs.python.org/issue34836> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34836] test_ssl.test_default_ecdh_curve needs no tls1.3 flag in 2.7, for now
New submission from Dimitri John Ledkov : test_default_ecdh_curve fails, as ssl.OP_NO_TLSv1_3 is not set on the context. and the test case can only work with non-tls1.3 connections. this indicates that the pull request that sprinkled ssl.OP_NO_TLSv1_3 everywhere was not backported, taking into account all the other backports that did subsequently remove those flags in many test cases. at the moment that test case is failing, but it would be nice if it didn't. -- messages: 326644 nosy: xnox priority: normal severity: normal status: open title: test_ssl.test_default_ecdh_curve needs no tls1.3 flag in 2.7, for now versions: Python 2.7 ___ Python tracker <https://bugs.python.org/issue34836> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34834] test_ssl.test_options does not correctly account for built-in ctx defaults with openssl 1.1.1
Change by Dimitri John Ledkov : -- keywords: +patch pull_requests: +9022 stage: -> patch review ___ Python tracker <https://bugs.python.org/issue34834> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34834] test_ssl.test_options does not correctly account for built-in ctx defaults with openssl 1.1.1
New submission from Dimitri John Ledkov : self.assertEqual(default, ctx.options) in test_options fails with openssl 1.1.1 as it does not correctly account for OP_ENABLE_MIDDLEBOX_COMPAT. It is not defined by the python2.7 ssl module either. either ssl.OP_ENABLE_MIDDLEBOX_COMPAT needs to be backported, or the test case should just add that constant in when openssl version is >= 1.1.1 -- messages: 326642 nosy: xnox priority: normal severity: normal status: open title: test_ssl.test_options does not correctly account for built-in ctx defaults with openssl 1.1.1 versions: Python 2.7 ___ Python tracker <https://bugs.python.org/issue34834> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34818] test.test_ssl.ThreadedTests.test_tls1_3 fails in 2.7 with AttributeError: __exit__
Dimitri John Ledkov added the comment: Similar client sockets are used in that file, but they are wrapped in extra `with closing(...) as s:` Is closing() wrapper missing in this test case? -- ___ Python tracker <https://bugs.python.org/issue34818> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34818] test.test_ssl.ThreadedTests.test_tls1_3 fails in 2.7 with AttributeError: __exit__
New submission from Dimitri John Ledkov : test.test_ssl.ThreadedTests.test_tls1_3 fails in 2.7 with AttributeError: __exit__ When building python 2.7, update to 20180926 from the 2.7 branch, on Ubuntu 18.10 (cosmic) with OpenSSL 1.1.1 the test_ssl errors out like so: == ERROR: test_tls1_3 (test.test_ssl.ThreadedTests) -- Traceback (most recent call last): File "/usr/lib/python2.7/test/test_ssl.py", line 2815, in test_tls1_3 with context.wrap_socket(socket.socket()) as s: AttributeError: __exit__ Distribution issue https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1759172 -- assignee: christian.heimes components: SSL messages: 326534 nosy: christian.heimes, xnox priority: normal severity: normal status: open title: test.test_ssl.ThreadedTests.test_tls1_3 fails in 2.7 with AttributeError: __exit__ versions: Python 2.7 ___ Python tracker <https://bugs.python.org/issue34818> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34670] Add set_post_handshake_auth for TLS 1.3
Dimitri John Ledkov added the comment: Will this be backported to the 2.7 branch as well? Pretty please =) -- nosy: +xnox ___ Python tracker <https://bugs.python.org/issue34670> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue25751] ctypes.util , Shell Injection in find_library()
Dimitri John Ledkov added the comment: Whilst fixed in 3.5, it is not fixed in 2.7. And the reporter believes this is a security vulnerability. Can this be cherry-picked into the 2.7 branch? -- nosy: +xnox ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue25751> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1322] Deprecate platform.dist() and platform.linux_distribution() functions
Dimitri John Ledkov added the comment: Why not change them to parse os-release files as defined by http://www.freedesktop.org/software/systemd/man/os-release.html A lot of things use these functions to check what one is running on, despite the problems, and do different things at install time. This deprecation and eventual removal, will result in a pypi module created with such functionality anyway, that everyone will try to pull in or falling that copying in. Here in https://clearlinux.org team we have patches to switch these to parse /etc/os-release;/usr/lib/os-release files instead. Would you be open to deprecate parsing any other files but os-release going forward? As that is standard across all linux distributions for quite some time now. Regards, Dimitri. Debian Developer, Ubuntu Core Developer, Clear Linux* Project Developer. -- nosy: +xnox ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue1322 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1322] Deprecate platform.dist() and platform.linux_distribution() functions
Dimitri John Ledkov added the comment: Note that things have changed in this space, since the issue was opened in 2007. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue1322 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23168] test_file2k.py depends on sys.stdin being unseekable
Dimitri John Ledkov added the comment: Removing a test when it doesn't pass is not the correct way to fix a test... Whilst I agree, this is not what was done in http://bugs.python.org/issue14853 . There it was concluded that the test itself is bogus and tests essentially nothing. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23168 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23170] test_uuid test_ifconfig_getnode fails with Temporary failure in name resolution
New submission from Dimitri John Ledkov: Building 3.4.2, running testsuite on linux, test_uuid test_ifconfig_getnode fails as following: [365/388] test_uuid Warning -- sys.path was modified by test_site test test_uuid failed -- Traceback (most recent call last): File /builddir/build/BUILD/Python-3.4.2/Lib/test/test_uuid.py, line 318, in test_ifconfig_getnode node = uuid._ifconfig_getnode() File /builddir/build/BUILD/Python-3.4.2/Lib/uuid.py, line 356, in _ifconfig_getnode ip_addr = socket.gethostbyname(socket.gethostname()) socket.gaierror: [Errno -3] Temporary failure in name resolution Note that Use of the 'network' resource not enabled -- components: Installation messages: 233467 nosy: xnox priority: normal severity: normal status: open title: test_uuid test_ifconfig_getnode fails with Temporary failure in name resolution type: compile error versions: Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23170 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23170] test_uuid test_ifconfig_getnode fails with Temporary failure in name resolution
Dimitri John Ledkov added the comment: The source code matches 3.4.2 tarball exactly. There is no arp_getnode test that I can see. 316@unittest.skipUnless(os.name == 'posix', 'requires Posix') 317def test_ifconfig_getnode(self): 318node = uuid._ifconfig_getnode() 319if node is not None: 320self.check_node(node, 'ifconfig') 346def _ifconfig_getnode(): 347Get the hardware address on Unix by running ifconfig. 348 349# This works on Linux ('' or '-a'), Tru64 ('-av'), but not all Unixes. 350for args in ('', '-a', '-av'): 351mac = _find_mac('ifconfig', args, ['hwaddr', 'ether'], lambda i: i+1) 352if mac: 353return mac 354 355import socket 356ip_addr = socket.gethostbyname(socket.gethostname()) 357 358# Try getting the MAC addr from arp based on our IP address (Solaris). 359mac = _find_mac('arp', '-an', [ip_addr], lambda i: -1) 360if mac: 361return mac 362 363# This might work on HP-UX. 364mac = _find_mac('lanscan', '-ai', ['lan0'], lambda i: 0) 365if mac: 366return mac 367 368return None And I do not see any try/except protections around it. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23170 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23170] test_uuid test_ifconfig_getnode fails with Temporary failure in name resolution
Dimitri John Ledkov added the comment: I guess this is related to http://bugs.python.org/issue17293 however I get a test-suite fail / exception there with 3.4.2 on Linux. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23170 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17293] uuid.getnode() MAC address on AIX
Dimitri John Ledkov added the comment: I'm getting socket.gaierror from test_ifconfig_getnode / uuid._ifconfig_getnode() on python 3.4.2 on Linux, in a no network environment. Thus i'd like to see these try:/excepts: to be ported back to 3.4 branch, if they haven't been already. I filed http://bugs.python.org/issue23170 to track my issue. Feel free to close that one as a (related) dupe of this one. -- nosy: +xnox ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17293 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com