This bug was fixed in the package python2.7 - 2.7.17-1~18.04ubuntu1.2 --------------- python2.7 (2.7.17-1~18.04ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: CRLF injection - debian/patches/CVE-2020-26116.patch: prevent header injection in http methods in Lib/httplib.py, Lib/test/test_httlib.py. - CVE-2020-26116 * debian/patches/issue9146.patch: re-adding fix FIPS mode environments where MD5 isn't available in Modules/_hashopenssl.c. (LP: #1898078) -- leo.barb...@canonical.com (Leonidas S. Barbosa) Wed, 30 Sep 2020 10:38:04 -0300 ** Changed in: python2.7 (Ubuntu Bionic) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26116 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 Status in python2.7 package in Ubuntu: New Status in python2.7 source package in Xenial: New Status in python2.7 source package in Bionic: Fix Released Status in python2.7 source package in Focal: New Status in python2.7 source package in Groovy: New Bug description: LP #1835135 was fixed in python2.7. However, when python2.7 was updated to current verion, the fix was not included. It needs to be included again into current version of python2.7 to prevent FIPS issues when using fips openssl with python's hashlib. This is only a problem in latest python2.7 versions in xenial, bionic, focal, and groovy. python3 versions do not have this problem in these releases. The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp