8000 [3.4] Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… by vstinner · Pull Request #224 · python/cpython · GitHub
[go: up one dir, main page]

Skip to content

[3.4] Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 10, 2017
Merged

[3.4] Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… #224

merged 1 commit into from
Mar 10, 2017

Conversation

vstinner
Copy link
Member

…d add ChaCha20 Poly1305.

Backport: replace 3.5.3 with 3.4.7 in the doc versionchanged.

(cherry picked from commit 03d13c0)

…d add ChaCha20 Poly1305.

Backport: replace 3.5.3 with 3.4.7 in the doc versionchanged.

(cherry picked from commit 03d13c0)
@vstinner
Copy link
Member Author

The change fixes the security vulnerability "Sweet32":
http://python-security.readthedocs.io/vulnerabilities.html#cve-2016-2183

@vstinner vstinner added the type-security A security issue label Feb 21, 2017
@vstinner vstinner requested a review from tiran February 21, 2017 21:37
@vstinner
Copy link
Member Author

@vstinner
Copy link
Member Author

FYI I created a second PR based on this one: PR #226. Let's see how it works :-)

Ah, it seems like the Merge button is restricted to release managers on the 3.4 branch.

@vstinner
Copy link
Member Author
vstinner commented Mar 9, 2017

ping @larryhastings and @ned-deily

@vstinner vstinner requested a review from ned-deily March 9, 2017 23:42
@ned-deily
Copy link
Member

@Haypo, This change is already in 3.6 and 3.5 already, correct? So the only issue is 3.4? If so, you need a review from @larryhastings, not me! And, in general, if there is a release blocker issue, you need to flag it as such on the bug tracker, not here.

8000

@vstinner
Copy link
Member Author

Updated URL:
http://python-security.readthedocs.io/vulnerabilities.html#cve-2016-2183-sweet32-attack-des-3des

@Haypo, This change is already in 3.6 and 3.5 already, correct?

Right.

So the only issue is 3.4?

Yes. In branches still accepting security fixes, it seems like only 3.4 remains vulnerable:
http://python-security.readthedocs.io/ssl.html#cipher-suite

If so, you need a review from @larryhastings, not me! And, in general, if there is a release blocker issue, you need to flag it as such on the bug tracker, not here.

I created this PR 16 days ago, and Larry didn't reply yet. IMHO it's an important security vulnerability, so I would prefer to merge this fix quickly. Then the question will be when a new 3.4 version can be released with the security fix :-/

About the bug tracker: the Priority field has no version, "release blocker" is not specific to the 3.4 branch. I looked at http://bugs.python.org/issue27850 which is a single issue for all branches.

@ned-deily
Copy link
Member
ned-deily commented Mar 10, 2017

All you need to do is set the version to 3.4 only (which it is already) and then set "release blocker". Please continue to follow our long-standing policy about release blockers because otherwise issues are going to fall through the cracks. As far as merging goes and producing a 3.4.x security release, that's up to Larry. This has been open now for months so I guess it can wait a few more days, no?

@vstinner
Copy link
Member Author

All you need to do is set the version to 3.4 only (which it is already) ...

Ah, when an issue affect multiple versions, I prefer to keep all versions selected. But well, since someone already removed 2.7, 3.5 and 3.6, it works for me :-)

and then set "release blocker" (...)

Ok, done.

@larryhastings
Copy link
Contributor

I'm not qualified for security review work, so I'm a poor choice of reviewer for this.

@dstufft
Copy link
Member
dstufft commented Mar 10, 2017

Security wise this is a good change. I think the only question is whether it's OK for it to land in 3.4 (which IMO it should)? AFAIK the RM has to be the one to OK a merge into a security only branch?

@vstinner
Copy link
Member Author
vstinner commented Mar 10, 2017 via email

@vstinner
Copy link
Member Author
vstinner commented Mar 10, 2017 via email

@larryhastings larryhastings merged commit fa53dbd into python:3.4 Mar 10, 2017
@larryhastings
Copy link
Contributor

By default I schedule releases every six months, which I gather is nicer for downstream maintainers like Linux distributions. I make emergency releases for the-sky-is-falling security holes. I haven't been convinced that "remove an old and increasingly broken encryption standard from a list of approved defaults" merits the cost to the world of a new 3.4 release.

@dstufft
Copy link
Member
dstufft commented Mar 10, 2017

I don't think that getting rid of 3DES by default is a big enough deal to warrant an emergency release.

@vstinner
Copy link
Member Author
vstinner commented Mar 10, 2017 via email

@dstufft
Copy link
Member
dstufft commented Mar 10, 2017

Eh, it's a balance. Every release changes some behavior so every release risks regressions to someone. The more of them you have the more variable behaviors you're going to see in the wild (e.g. we have pip bugs that only reproduce on specific versions of Python down to an X.Y.Z). In addition other people consume these releases so each release you make adds additional work for them to integrate that release within their own tooling (for example, Debian, Red Hat, etc pulling in the latest version).

At the end of the day when to release is a balancing act between churn and not holding up features or improvements for extended periods of time.

8000

@vstinner
Copy link
Member Author
vstinner commented Mar 10, 2017 via email

@vstinner vstinner deleted the CVE-2016-2183/3.4 branch April 26, 2017 09:48
@vstinner vstinner changed the title Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… [3.4] Issues #27850 and #27766: Remove 3DES from ssl default cipher list an… Jun 19, 2017
jaraco added a commit to jaraco/cpython that referenced this pull request Feb 17, 2023
_common: add type hint to files()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-security A security issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants
0