Comment 1 Kubilay Kocak 2016-11-30 10:48:30 UTC

Pending patch, should get to this later this week. If you can provide a QA'd patch, I ought to be able to commit it sooner.

Created attachment 177550 [details]
Bump py-cryptography to 1.6

Patch to bump py-cryptography to 1.6. Build tests done:

* Poudriere 11.0, amd64, python27, base ssl = OK
* Poudriere 10.3, amd64, python27, base ssl = OK
* Poudriere 9.3, amd64, python27, base ssl = FAIL

* Poudriere 11.0, amd64, python35, libressl = PENDING
* Poudriere 10.3, amd64, python35, libressl = PENDING
* Poudriere 9.3, amd64, python35, libressl = PENDING

Created attachment 177551 [details]
Build log for Poudriere 9.3 amd64 python27 base ssl  build test (FAIL).

Had to compress the log as it's 4M orig.

More build tests:

* Poudriere 11.0, amd64, python35, libressl = OK
* Poudriere 10.3, amd64, python35, libressl = OK
* Poudriere 9.3, amd64, python35, libressl = OK (!)

Comment 5 commit-hook 2016-12-04 22:19:31 UTC

A commit references this bug:

Author: feld
Date: Sun Dec  4 22:18:51 UTC 2016
New revision: 427810
URL: https://svnweb.freebsd.org/changeset/ports/427810

Log:
  security/py-cryptography: Update to 1.6

  Changelog:	https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

  PR:		214915
  Approved by:	ports-secteam (with hat)
  MFH:		2016Q4
  Security:	CVE-2016-9243

Changes:
  head/security/py-cryptography/Makefile
  head/security/py-cryptography/distinfo
  head/security/py-cryptography/files/

Comment 6 commit-hook 2016-12-04 22:21:35 UTC

A commit references this bug:

Author: feld
Date: Sun Dec  4 22:20:29 UTC 2016
New revision: 427812
URL: https://svnweb.freebsd.org/changeset/ports/427812

Log:
  MFH: r427810

  security/py-cryptography: Update to 1.6

  Changelog:	https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

  PR:		214915
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2016-9243

Changes:
_U  branches/2016Q4/
  branches/2016Q4/security/py-cryptography/Makefile
  branches/2016Q4/security/py-cryptography/distinfo
  branches/2016Q4/security/py-cryptography/files/

Comment 7 commit-hook 2016-12-04 22:29:44 UTC

A commit references this bug:

Author: feld
Date: Sun Dec  4 22:29:11 UTC 2016
New revision: 427813
URL: https://svnweb.freebsd.org/changeset/ports/427813

Log:
  Document py-cryptography vulnerability

  PR:		214915
  Security:	CVE-2016-9243

Changes:
  head/security/vuxml/vuln.xml

Comment 8 Antoine Brodin 2016-12-05 07:01:15 UTC

Why was this committed and even MFHed when the build log says it fails to build?

It fails on 9.3 with base OpenSSL. I looked into the code that fails but it's not something I can repatch.

One option is to mark it broken for 9.3 with base SSL, since 9.3 is about to be EOL'd very soon and nobody should be using OpenSSL that old anyway.

I meanwhile ran more tests, builds fine with py27 & py35 with ports OpenSSL on all three supported FreeBSD branches.

Comment 10 Mark Felder 2016-12-05 17:13:09 UTC

(In reply to Antoine Brodin from comment #8)

If we can't find a workaround for the build failure on 9.3 we'll have to mark it as BROKEN there. It doesn't make sense to leave all users vulnerable because it's broken on 9.3.

9.3 is also nearly EoL, so that was taken into consideration as well.

Comment 11 Kubilay Kocak 2016-12-06 00:45:51 UTC

(In reply to Mark Felder from comment #10)

Conditionally use ports SSL. 
I prefer this over BROKEN as the package for 9.3 will be produced, and it's not broken, it's broken 

Later versions of cryptography removed support for older versions (< 1.0.0 iirc) of SSL.

Comment 12 commit-hook 2016-12-08 17:07:45 UTC

A commit references this bug:

Author: feld
Date: Thu Dec  8 17:07:23 UTC 2016
New revision: 428138
URL: https://svnweb.freebsd.org/changeset/ports/428138

Log:
  security/py-pycryptography: Fix build on FreeBSD 9.3

  Modern py-cryptography requires a more modern OpenSSL. This switch to
  requiring OpenSSL from ports is a disruptive change, but it will protect
  these users from the recently patched vulnerabilites.

  Support for OpenSSL 0.9.8 was removed in pycryptography as of version 1.4.
  The last release to support OpenSSL 0.9.8 was 1.3.4 which is still
  vulnerable to the HDKF key generation bug. It appears that version 1.4
  did build successfully on FreeBSD 9.3, but upstream had abandoned
  support for OpenSSL 0.9.8 at that point so it is unclear if it was fully
  functional.

  PR:		214915
  MFH:		2016Q4

Changes:
  head/security/py-cryptography/Makefile

Comment 13 commit-hook 2016-12-08 17:09:49 UTC

A commit references this bug:

Author: feld
Date: Thu Dec  8 17:08:55 UTC 2016
New revision: 428139
URL: https://svnweb.freebsd.org/changeset/ports/428139

Log:
  MFH: r428138

  security/py-pycryptography: Fix build on FreeBSD 9.3

  Modern py-cryptography requires a more modern OpenSSL. This switch to
  requiring OpenSSL from ports is a disruptive change, but it will protect
  these users from the recently patched vulnerabilites.

  Support for OpenSSL 0.9.8 was removed in pycryptography as of version 1.4.
  The last release to support OpenSSL 0.9.8 was 1.3.4 which is still
  vulnerable to the HDKF key generation bug. It appears that version 1.4
  did build successfully on FreeBSD 9.3, but upstream had abandoned
  support for OpenSSL 0.9.8 at that point so it is unclear if it was fully
  functional.

  PR:		214915

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/security/py-cryptography/Makefile

Comment 14 Mark Felder 2017-01-09 16:54:51 UTC

The change was reverted, but it doesn't matter anymore because 9.3 is EoL.

I should not be proud the "fix" is to wait for the OS to be EoL...