Bug 214915

Summary: security/py-cryptography: Update to 1.6 (security fixes)
Product: Ports & Packages Reporter: VK <vlad-fbsd>
Component: Individual Port(s)Assignee: Mark Felder <feld>
Status: Closed FIXED    
Severity: Affects Some People CC: feld, ports-secteam, python
Priority: --- Keywords: needs-qa, patch, security
Version: LatestFlags: koobs: maintainer-feedback+
vlad-fbsd: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Attachments:
Description Flags
Bump py-cryptography to 1.6
none
Build log for Poudriere 9.3 amd64 python27 base ssl build test (FAIL). none

Description VK freebsd_triage 2016-11-28 21:00:24 UTC
Please update py-cryptography to latest, 1.6. Contains a security fix for CVE-2016-9243 (fixed upstream in 1.5.3).
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2016-11-30 10:48:30 UTC
Pending patch, should get to this later this week. If you can provide a QA'd patch, I ought to be able to commit it sooner.
Comment 2 VK freebsd_triage 2016-11-30 17:19:51 UTC
Created attachment 177550 [details]
Bump py-cryptography to 1.6

Patch to bump py-cryptography to 1.6. Build tests done:

* Poudriere 11.0, amd64, python27, base ssl = OK
* Poudriere 10.3, amd64, python27, base ssl = OK
* Poudriere 9.3, amd64, python27, base ssl = FAIL

* Poudriere 11.0, amd64, python35, libressl = PENDING
* Poudriere 10.3, amd64, python35, libressl = PENDING
* Poudriere 9.3, amd64, python35, libressl = PENDING
Comment 3 VK freebsd_triage 2016-11-30 17:23:34 UTC
Created attachment 177551 [details]
Build log for Poudriere 9.3 amd64 python27 base ssl  build test (FAIL).

Had to compress the log as it's 4M orig.
Comment 4 VK freebsd_triage 2016-11-30 17:54:17 UTC
More build tests:

* Poudriere 11.0, amd64, python35, libressl = OK
* Poudriere 10.3, amd64, python35, libressl = OK
* Poudriere 9.3, amd64, python35, libressl = OK (!)
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-12-04 22:19:31 UTC
A commit references this bug:

Author: feld
Date: Sun Dec  4 22:18:51 UTC 2016
New revision: 427810
URL: https://svnweb.freebsd.org/changeset/ports/427810

Log:
  security/py-cryptography: Update to 1.6

  Changelog:	https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

  PR:		214915
  Approved by:	ports-secteam (with hat)
  MFH:		2016Q4
  Security:	CVE-2016-9243

Changes:
  head/security/py-cryptography/Makefile
  head/security/py-cryptography/distinfo
  head/security/py-cryptography/files/
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-12-04 22:21:35 UTC
A commit references this bug:

Author: feld
Date: Sun Dec  4 22:20:29 UTC 2016
New revision: 427812
URL: https://svnweb.freebsd.org/changeset/ports/427812

Log:
  MFH: r427810

  security/py-cryptography: Update to 1.6

  Changelog:	https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

  PR:		214915
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-9243

Changes:
_U  branches/2016Q4/
  branches/2016Q4/security/py-cryptography/Makefile
  branches/2016Q4/security/py-cryptography/distinfo
  branches/2016Q4/security/py-cryptography/files/
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-12-04 22:29:44 UTC
A commit references this bug:

Author: feld
Date: Sun Dec  4 22:29:11 UTC 2016
New revision: 427813
URL: https://svnweb.freebsd.org/changeset/ports/427813

Log:
  Document py-cryptography vulnerability

  PR:		214915
  Security:	CVE-2016-9243

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Antoine Brodin freebsd_committer freebsd_triage 2016-12-05 07:01:15 UTC
Why was this committed and even MFHed when the build log says it fails to build?
Comment 9 VK freebsd_triage 2016-12-05 09:50:54 UTC
It fails on 9.3 with base OpenSSL. I looked into the code that fails but it's not something I can repatch.

One option is to mark it broken for 9.3 with base SSL, since 9.3 is about to be EOL'd very soon and nobody should be using OpenSSL that old anyway.

I meanwhile ran more tests, builds fine with py27 & py35 with ports OpenSSL on all three supported FreeBSD branches.
Comment 10 Mark Felder freebsd_committer freebsd_triage 2016-12-05 17:13:09 UTC
(In reply to Antoine Brodin from comment #8)

If we can't find a workaround for the build failure on 9.3 we'll have to mark it as BROKEN there. It doesn't make sense to leave all users vulnerable because it's broken on 9.3.

9.3 is also nearly EoL, so that was taken into consideration as well.
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2016-12-06 00:45:51 UTC
(In reply to Mark Felder from comment #10)

Conditionally use ports SSL. 
I prefer this over BROKEN as the package for 9.3 will be produced, and it's not broken, it's broken 

Later versions of cryptography removed support for older versions (< 1.0.0 iirc) of SSL.
Comment 12 commit-hook freebsd_committer freebsd_triage 2016-12-08 17:07:45 UTC
A commit references this bug:

Author: feld
Date: Thu Dec  8 17:07:23 UTC 2016
New revision: 428138
URL: https://svnweb.freebsd.org/changeset/ports/428138

Log:
  security/py-pycryptography: Fix build on FreeBSD 9.3

  Modern py-cryptography requires a more modern OpenSSL. This switch to
  requiring OpenSSL from ports is a disruptive change, but it will protect
  these users from the recently patched vulnerabilites.

  Support for OpenSSL 0.9.8 was removed in pycryptography as of version 1.4.
  The last release to support OpenSSL 0.9.8 was 1.3.4 which is still
  vulnerable to the HDKF key generation bug. It appears that version 1.4
  did build successfully on FreeBSD 9.3, but upstream had abandoned
  support for OpenSSL 0.9.8 at that point so it is unclear if it was fully
  functional.

  PR:		214915
  MFH:		2016Q4

Changes:
  head/security/py-cryptography/Makefile
Comment 13 commit-hook freebsd_committer freebsd_triage 2016-12-08 17:09:49 UTC
A commit references this bug:

Author: feld
Date: Thu Dec  8 17:08:55 UTC 2016
New revision: 428139
URL: https://svnweb.freebsd.org/changeset/ports/428139

Log:
  MFH: r428138

  security/py-pycryptography: Fix build on FreeBSD 9.3

  Modern py-cryptography requires a more modern OpenSSL. This switch to
  requiring OpenSSL from ports is a disruptive change, but it will protect
  these users from the recently patched vulnerabilites.

  Support for OpenSSL 0.9.8 was removed in pycryptography as of version 1.4.
  The last release to support OpenSSL 0.9.8 was 1.3.4 which is still
  vulnerable to the HDKF key generation bug. It appears that version 1.4
  did build successfully on FreeBSD 9.3, but upstream had abandoned
  support for OpenSSL 0.9.8 at that point so it is unclear if it was fully
  functional.

  PR:		214915

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/security/py-cryptography/Makefile
Comment 14 Mark Felder freebsd_committer freebsd_triage 2017-01-09 16:54:51 UTC
The change was reverted, but it doesn't matter anymore because 9.3 is EoL.

I should not be proud the "fix" is to wait for the OS to be EoL...