Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1

To: submit@bugs.debian.org
Subject: Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sat, 11 Nov 2017 14:36:55 +0100
Message-id: <[🔎] 20171111133655.vpoeqhiicigfqpgn@roeckx.be>
Reply-to: Kurt Roeckx <kurt@roeckx.be>, 881415@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to upload python2.7 to fix a problem that it can't
talk to SSL/TLS sites that use an ECDSA certificate different than
P256, like a P384 certificate.

Here is the debdiff:
diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog
--- python2.7-2.7.13/debian/changelog
+++ python2.7-2.7.13/debian/changelog
@@ -1,3 +1,10 @@
+python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload with maintainer's permission
+  * Support all groups in TLS communication (Closes: #868143)
+
+ -- Kurt Roeckx <kurt@roeckx.be>  Thu, 09 Nov 2017 21:58:19 +0100
+
 python2.7 (2.7.13-2) unstable; urgency=medium
 
   * Lower priority of interpreter packages to optional.
diff -u python2.7-2.7.13/debian/patches/series.in python2.7-2.7.13/debian/patches/series.in
--- python2.7-2.7.13/debian/patches/series.in
+++ python2.7-2.7.13/debian/patches/series.in
@@ -71,0 +72 @@
+Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
only in patch2:
unchanged:
--- python2.7-2.7.13.orig/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
+++ python2.7-2.7.13/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
@@ -0,0 +1,28 @@
+From 97a145398ce7e36eb355f1fd75011ddbcb37d1b3 Mon Sep 17 00:00:00 2001
+From: Donald Stufft <donald@stufft.io>
+Date: Thu, 2 Mar 2017 11:24:50 -0500
+Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+
+
+---
+ Modules/_ssl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: python2.7-2.7.13/Modules/_ssl.c
+===================================================================
+--- python2.7-2.7.13.orig/Modules/_ssl.c
++++ python2.7-2.7.13/Modules/_ssl.c
+@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject
+         options |= SSL_OP_NO_SSLv3;
+     SSL_CTX_set_options(self->ctx, options);
+ 
+-#ifndef OPENSSL_NO_ECDH
++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
+     /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+        prime256v1 by default.  This is Apache mod_ssl's initialization
+        policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
+      */
+-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
++#if defined(SSL_CTX_set_ecdh_auto)
+     SSL_CTX_set_ecdh_auto(self->ctx, 1);
+ #else
+     {

Reply to:

Follow-Ups:
- Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#881370: nmu: directfb_1.7.7-6
Next by Date: Bug#881330: transition: poco
Previous by thread: Bug#881370: marked as done (nmu: directfb_1.7.7-6)
Next by thread: Bug#881415: stretch-pu: python2.7/2.7.13-2+deb9u1
Index(es):
- Date
- Thread