Opened 6 years ago
Closed 6 years ago
#17164 closed defect (worksforme)
Disable SSLv3 by default
| Reported by: | jmantysalo | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | sage-duplicate/invalid/wontfix |
| Component: | notebook | Keywords: | |
| Cc: | jdemeyer, jpflori | Merged in: | |
| Authors: | Reviewers: | ||
| Report Upstream: | N/A | Work issues: | |
| Branch: | Commit: | ||
| Dependencies: | Stopgaps: |
Description (last modified by )
There is a bug in SSLv3, see for example https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/
Upstream bug: http://bugs.python.org/issue22638
Change History (16)
comment:1 Changed 6 years ago by
- Type changed from PLEASE CHANGE to defect
comment:2 Changed 6 years ago by
- Description modified (diff)
comment:3 Changed 6 years ago by
comment:4 follow-up: ↓ 5 Changed 6 years ago by
I don't know, I just saw this, fairly randomly.
Exactly what would we want to do to fix this - upgrade Python? I don't know that we can dump the openssl package, there is nothing to replace it.
comment:5 in reply to: ↑ 4 Changed 6 years ago by
Replying to kcrisman:
Exactly what would we want to do to fix this - upgrade Python? I don't know that we can dump the openssl package, there is nothing to replace it.
Isn't there any configuration file that could be modified by Sage team until package itself is corrected?
comment:6 Changed 6 years ago by
Quite possibly! Actually, probably could just patch Python right now. But the point is that I don't know how :-) Since this seems pretty important, do you want to email sage-devel to make people aware of it? Probably most people don't know about this ticket, and ones who would know what to do would respond.
comment:7 Changed 6 years ago by
https://docs.python.org/2.7/library/ssl.html#ssl.OP_NO_SSLv3
says disabling SSLv3 is "New in version 2.7.9"
Sage 6.4.1 includes python 2.7.8
comment:8 Changed 6 years ago by
2.7.9 is supposedly going to be released any day now, see https://www.python.org/dev/peps/pep-0373/ - though I'm not sure we want to be quite that early of an adopter.
comment:9 Changed 6 years ago by
- Cc jdemeyer added
Note that Python 2.9 is apparently now out, as of yesterday.
comment:10 Changed 6 years ago by
- Cc jpflori added
comment:11 Changed 6 years ago by
should we update to 2.7.9? Among other things it has a bunch of other SSL/TLS fixes, e.g. SNI support.
comment:12 Changed 6 years ago by
Is this done with #18912?
comment:13 Changed 6 years ago by
- Status changed from new to needs_review
as we are on python 2.7.9, this should not be an issue anyway.
comment:15 Changed 6 years ago by
- Milestone changed from sage-6.4 to sage-duplicate/invalid/wontfix
comment:16 Changed 6 years ago by
- Resolution set to worksforme
- Status changed from positive_review to closed
Is there any temporary fix for this?