Hello FreeBSD Python,
I'm not sure if this is a bug, and if it is a bug, I'm not sure which
port I should submit it against.
I completed the following pkg upgrades this morning and changed nothing
else.
Nov 10 08:56:31 tizzy pkg[49703]: openssl upgraded: 3.0.12,1 -> 3.0.12_1,1
Nov 10 08:56:32 tizzy pkg[49703]: libuv upgraded: 1.46.0 -> 1.47.0
Nov 10 08:56:32 tizzy pkg[49703]: bash upgraded: 5.2.15 -> 5.2.21
Nov 10 08:56:33 tizzy pkg[49703]: py310-cryptography reinstalled:
41.0.5,1 -> 41.0.5,1
Nov 10 08:56:33 tizzy pkg[49703]: libevent reinstalled: 2.1.12 -> 2.1.12
Nov 10 08:56:33 tizzy pkg[49703]: py310-outcome upgraded: 1.3.0 -> 1.3.0_1
Nov 10 08:56:36 tizzy pkg[49703]: postgresql15-client upgraded: 15.4 -> 15.5
Nov 10 08:56:37 tizzy pkg[49703]: sudo upgraded: 1.9.15 -> 1.9.15p2
Immediately, a cron job that imports dns.query from dns/py-dnspython
started failing with a RuntimeError. Here is a slightly simpler
demonstration:
% python -c 'import OpenSSL'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/local/lib/python3.10/site-packages/OpenSSL/__init__.py",
line 8, in <module>
from OpenSSL import SSL, crypto
File "/usr/local/lib/python3.10/site-packages/OpenSSL/SSL.py", line
9, in <module>
from OpenSSL._util import (
File "/usr/local/lib/python3.10/site-packages/OpenSSL/_util.py",
line 6, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
File
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
line 167, in <module>
Binding.init_static_locks()
File
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
line 134, in init_static_locks
cls._ensure_ffi_initialized()
File
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
line 123, in _ensure_ffi_initialized
_legacy_provider_error(cls._legacy_provider_loaded)
File
"/usr/local/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
line 43, in _legacy_provider_error
raise RuntimeError(
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a
fatal error by default, but cryptography supports running without legacy
algorithms by setting the environment variable
CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you
have likely made a mistake with your OpenSSL configuration.
I struggle to see how the recent change to security/openssl could have
caused this to start happening.
commit e31577029401e1e328f0caaef837d613d98dd515
Author: Bernard Spil <br...@freebsd.org>
Date: Wed Nov 8 17:14:28 2023 +0100
security/openssl: Security fix for CVE-2023-5678
Security: a5956603-7e4f-11ee-9df6-84a93843eb75
MFH: 2023Q4
Any advice?
Thank you,
John
