| Summary: | python-nassl bundles openssl | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Guillaume Rousse <guillomovitch> |
| Status: | RESOLVED WONTFIX | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mageia |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | python-nassl-3.1.0-5.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-01-18 17:18:31 CET
Feel free to make it work against system openssl. It builds, but doesn't work correctly, either because of different build options, or because it has not been designed for dynamic linking. BTW, it actually link against two different versions of openssl. I'll disable python-sslyze on aarch64 too. We shouldn't be importing this package now if it can't be fixed. looking to https://pypi.org/project/nassl/0.13.7/ this does not seems possible. Maybe we can a a provide to know it bundles openssl Provides: bundle(OpenSSL-1.0.2e) or something like this guillaume does not tell it can't be fixed :-) CC:
(none) =>
mageia Bundling 1.0.2 is even worse, because that branch is dead. I really don't think we should be shipping this package. It doesn't "bundle" anything, ie it doesn't ship anything another package could use, it just reuse statically openssl code, including old and deprecated version, in order to test for deprecated protocol versions. And it's an ssl scanrer, not a regular client or server, we don't care about openssl vulnerabilities here. Just provide a credible exploitation scenario before asserting usual policy apply here. Fine... Status:
NEW =>
RESOLVED |