For what it’s worth, I believe that PEP 476 patch has been applied to Python 2.7.8 in Jessie which means that urllib3 will automatically get the same security it has on Python 3+ on Python 2 without needing anything additional installed.
> On Oct 22, 2014, at 10:11 AM, Daniele Tricoli <er...@mornie.org> wrote: > > Hello Christoph, > thanks for this report! > > [cc Donald Stufft since he is a security guy! Thanks Donald and sorry for the > noise! ;)] > > On Wednesday 22 October 2014 03:00:30 Christoph Anton Mitterer wrote: >> So apparently you say, that without python-ndg-httpsclient, python-openssl >> and python-pyasn1 python-urllib3 is vulnerable to at least CRIME, right? > > When using SSL, yes, but only on Python 2: on Python 3 you can just use > OP_NO_COMPRESSION to prevent it. > >> But shouldn't it then Depend on all of those? Or is it guaranteed that >> all code that might ever use python-urllib3, will check for these >> dependencies whenever SSL/TLS is used, and therefore be on the safe side?. > > Of course, it's not guaranteed that all code that might ever use python- > urllib3 will check for python-ndg-httpsclient, python-openssl and python- > pyasn1 (well this dipends on how upstream wrote that code), but urllib3 can > be > used without SSL/TLS at all. > > Debian Policy says about Recomends[¹]: > > Recommends > > This declares a strong, but not absolute, dependency. > > The Recommends field should list packages that would be found together > with this one in all but unusual installations. > > A not so unusual installation can be a service where I use urllib3 without > SSL/TSL: in this case I don't need python-ndg-httpsclient, python-openssl and > pyasn1. > >> I mean if e.g. openssl would dynamically load libssl and silently default to >> using aNULL and eNULL ciphersuites only, when it's not present,... one >> would probably also say "libssl is mandatory, since otherwise security >> isn't guaranteed". > > I think this example, however, is a bit different. Do you think so? > You will not use openssl without libssl (I'm considering the use of NULL > ciphersuites as not using libssl at all), but you *can* use urllib3 without > SSL. > > So, I think Recommends is fine in this case. For more details you can look at > this thread on @debian-python: > > https://lists.debian.org/debian-python/2014/06/msg00031.html > > Kind regards, > > -- > Daniele Tricoli 'Eriol' > http://mornie.org --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
