This bug was fixed in the package python2.7 - 2.7.17-1~18.04ubuntu1.2
---------------
python2.7 (2.7.17-1~18.04ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2020-26116.patch: prevent header injection
in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
- CVE-2020-26116
* debian/patches/issue9146.patch: re-adding fix FIPS mode environments where
MD5
isn't available in Modules/_hashopenssl.c. (LP: #1898078)
-- leo.barb...@canonical.com (Leonidas S. Barbosa) Wed, 30 Sep 2020
10:38:04 -0300
** Changed in: python2.7 (Ubuntu Bionic)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26116
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1898078
Title:
FIPS OpenSSL crashes Python2.7 hashlib when using MD5
Status in python2.7 package in Ubuntu:
New
Status in python2.7 source package in Xenial:
New
Status in python2.7 source package in Bionic:
Fix Released
Status in python2.7 source package in Focal:
New
Status in python2.7 source package in Groovy:
New
Bug description:
LP #1835135 was fixed in python2.7. However, when python2.7 was
updated to current verion, the fix was not included. It needs to be
included again into current version of python2.7 to prevent FIPS
issues when using fips openssl with python's hashlib. This is only a
problem in latest python2.7 versions in xenial, bionic, focal, and
groovy. python3 versions do not have this problem in these releases.
The fix was a backport of
https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
