Package: python3-cryptography Version: 2.6.1-3+deb10u2 Severity: normal Tags: security
A long-running, twisted-based server occasionally (days to weeks) gets aborted when processing HTTPS requests. Here's a basic core dump from an abort: #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f604e0d2535 in __GI_abort () at abort.c:79 #2 0x00007f604e129508 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f604e23428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007f604e12fc1a in malloc_printerr ( str=str@entry=0x7f604e23243b "free(): invalid pointer") at malloc.c:5341 #4 0x00007f604e13142c in _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:4165 #5 0x00007f604d77a9be in SSL_SESSION_free () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1 #6 0x00007f604d5ddc8c in OPENSSL_LH_doall_arg () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 #7 0x00007f604d77bf57 in SSL_CTX_flush_sessions () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1 #8 0x00007f604d7924d3 in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1 #9 0x00007f604d787e3e in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1 #10 0x00007f604d773f34 in SSL_do_handshake () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1 #11 0x00007f604d12971c in ?? () from /usr/lib/python3/dist-packages/cryptography/hazmat/bindings/_openssl.abi3.so #12 0x00000000005ccba1 in _PyMethodDef_RawFastCallKeywords () This is about all I know at this point. I've not yet managed to trigger this on a development system. On the operational system, I can live with having a watchdog restart the service when it gets aborted, so I could limp on until bullseye here. On the other hand, an invalid free in openssl sounds a bit unnerving, and so I thought I'd report this and offer to at least install debug packages and look more closely at the problem (disclaimer: as I may have to wait weeks until I'll get another abort, responses may be slow). -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8), LANGUAGE=en_US (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages python3-cryptography depends on: ii libc6 2.28-10 ii libssl1.1 1.1.1d-0+deb10u5 ii python3 3.7.3-1 ii python3-asn1crypto 0.24.0-1 ii python3-cffi-backend [python3-cffi-backend-api-min] 1.12.2-1 pn python3-cffi-backend-api-max <none> ii python3-six 1.12.0-1 python3-cryptography recommends no packages. Versions of packages python3-cryptography suggests: pn python-cryptography-doc <none> pn python3-cryptography-vectors <none> -- no debconf information