Package: libssl1.1 Version: 1.1.0c-1 Severity: critical Tags: upstream Justification: breaks unrelated software
Hi, update to 1.1.0c broke Python ssl wrapper. I have first faced the issue with offlineimap, which would crash with the [Errno 0] Error and the following stack-trace when trying to refresh OAuth2 token from google: Traceback: File "/usr/share/offlineimap/offlineimap/accounts.py", line 271, in syncrunner self.__sync() File "/usr/share/offlineimap/offlineimap/accounts.py", line 334, in __sync remoterepos.getfolders() File "/usr/share/offlineimap/offlineimap/repository/IMAP.py", line 452, in getfolders imapobj = self.imapserver.acquireconnection() File "/usr/share/offlineimap/offlineimap/imapserver.py", line 540, in acquireconnection self.__authn_helper(imapobj) File "/usr/share/offlineimap/offlineimap/imapserver.py", line 406, in __authn_helper if func(imapobj): File "/usr/share/offlineimap/offlineimap/imapserver.py", line 340, in __authn_xoauth2 imapobj.authenticate('XOAUTH2', self.__xoauth2handler) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 705, in authenticate typ, dat = self._simple_command('AUTHENTICATE', mechanism.upper()) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1692, in _simple_command return self._command_complete(self._command(name, *args), kw) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 1418, in _command literal = literator(data, rqb) File "/usr/lib/python2.7/dist-packages/imaplib2.py", line 2283, in process ret = self.mech(self.decode(data)) File "/usr/share/offlineimap/offlineimap/imapserver.py", line 239, in __xoauth2handler six.reraise(type(e), type(e)(msg), exc_info()[2]) File "/usr/share/offlineimap/offlineimap/imapserver.py", line 233, in __xoauth2handler self.oauth2_request_url, urllib.urlencode(params)).read() File "/usr/lib/python2.7/socket.py", line 355, in read data = self._sock.recv(rbufsize) File "/usr/lib/python2.7/ssl.py", line 766, in recv return self.read(buflen) File "/usr/lib/python2.7/ssl.py", line 653, in read v = self._sslobj.read(len) These seem to be relevant upstream bugs: * https://github.com/openssl/openssl/issues/1919 (which was merged to 1903) * https://github.com/openssl/openssl/issues/1903 Downgrading to 1.1.0b (by installing libssl1.1_1.1.0b-2_amd64.deb from snapshots) resolves the issue (and introduces back the vulnerability). Best, Antonin -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libssl1.1 depends on: ii debconf [debconf-2.0] 1.5.59 ii libc6 2.24-5 libssl1.1 recommends no packages. libssl1.1 suggests no packages. -- debconf information excluded