touch-packages team mailing list archive

Thread
Date

[Bug 1401322] Re: Upgrade to Python 2.7.9

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Thu, 28 Jan 2016 22:21:40 -0000
Reply-to: Bug 1401322 <1401322@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Cory and Kevin! The Ubuntu Security team (most of the work was done
by Marc Deslauriers) has actively fixed individual Python packages in
Ubuntu's main archive pocket that are vulnerable to certificate
verification flaws prior to the Python 2.7.9 change. While many packages
were already doing proper certificate verification, we updated a number
that were not:

 http://www.ubuntu.com/usn/usn-1265-1/
 http://www.ubuntu.com/usn/usn-1270-1/
 http://www.ubuntu.com/usn/usn-1352-1/
 http://www.ubuntu.com/usn/usn-1375-1/
 http://www.ubuntu.com/usn/usn-1381-1/
 http://www.ubuntu.com/usn/usn-1464-1/
 http://www.ubuntu.com/usn/usn-1465-1/
 http://www.ubuntu.com/usn/usn-1465-2/
 http://www.ubuntu.com/usn/usn-1547-1/

You're correct that code living outside of Ubuntu's archive must do the
right thing or be updated to a release that does do the right thing by
the system administrator. We also keep in mind that there are many one-
off scripts, cron jobs, etc., connecting to a server with a self-signed
cert, that would break due to such a change. We have to walk a fine line
between providing security updates at all costs and potentially breaking
production machines with those updates. While we try our best to err on
the side of security whenever possible, it did not make sense to us in
this instance.

However, we are now looking into ways for our users to opt-in to full
certificate verification using our python2.7 packages. While enabling
full certificate verification by default, as performed by Python 2.7.9,
in a stable Ubuntu release is not a possibility due to the issues I
mentioned above, there are some other options on the table. We will look
at backporting the appropriate 2.7.9 patches to our python2.7 package in
14.04 and 12.04 or possibly bump those package versions up to 2.7.9. If
either of those options are possible, we'll employ the strategy proposed
by PEP 493 where the full certification verification is disabled by
default but configurable at a system-wide level through /etc/python
/cert-verification.cfg. This opt-in approach should allow the owners of
systems to enable the changes from PEP 476 once they know their
applications, scripts, cron jobs, etc., will continue to work correctly.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python-defaults in Ubuntu.
https://bugs.launchpad.net/bugs/1401322

Title:
  Upgrade to Python 2.7.9

Status in python-defaults package in Ubuntu:
  Confirmed

Bug description:
  Python 2.7.9 contains numerous security improvements for Python.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1401322/+subscriptions

References

[Bug 1401322] [NEW] Upgrade to Python 2.7.9
From: Alex Gaynor, 2014-12-11