[Secure-testing-team] Bug#766296: python-urllib3: shouldn't it depend on python-ndg-httpsclient, python-openssl and python-pyasn1
Christoph Anton Mitterer
calestyo at scientia.net
Wed Oct 22 01:00:30 UTC 2014
Package: python-urllib3
Version: 1.9.1-2
Severity: important
Tags: security
Hi.
I've read that worrysome entry in the changelog.Debian:
> - Add python-ndg-httpsclient, python-openssl and python-pyasn1 into
> python-urllib3's Recomends to ensure that SNI works as expected and to
> prevent CRIME attack
So apparently you say, that without python-ndg-httpsclient, python-openssl
and python-pyasn1 python-urllib3 is vulnerable to at least CRIME, right?
But shouldn't it then Depend on all of those? Or is it guaranteed that
all code that might ever use python-urllib3, will check for these dependencies
whenever SSL/TLS is used, and therefore be on the safe side?.
I mean if e.g. openssl would dynamically load libssl and silently default to
using aNULL and eNULL ciphersuites only, when it's not present,... one would
probably also say "libssl is mandatory, since otherwise security isn't
guaranteed".
Cheers,
Chris
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-urllib3 depends on:
ii python-six 1.8.0-1
pn python:any <none>
Versions of packages python-urllib3 recommends:
ii ca-certificates 20141019
ii python-ndg-httpsclient 0.3.2-1
ii python-openssl 0.14-1
ii python-pyasn1 0.1.7-1
python-urllib3 suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list