Package: python-urllib3 Version: 1.9.1-2 Severity: important Tags: security
Hi. I've read that worrysome entry in the changelog.Debian: > - Add python-ndg-httpsclient, python-openssl and python-pyasn1 into > python-urllib3's Recomends to ensure that SNI works as expected and to > prevent CRIME attack So apparently you say, that without python-ndg-httpsclient, python-openssl and python-pyasn1 python-urllib3 is vulnerable to at least CRIME, right? But shouldn't it then Depend on all of those? Or is it guaranteed that all code that might ever use python-urllib3, will check for these dependencies whenever SSL/TLS is used, and therefore be on the safe side?. I mean if e.g. openssl would dynamically load libssl and silently default to using aNULL and eNULL ciphersuites only, when it's not present,... one would probably also say "libssl is mandatory, since otherwise security isn't guaranteed". Cheers, Chris -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-urllib3 depends on: ii python-six 1.8.0-1 pn python:any <none> Versions of packages python-urllib3 recommends: ii ca-certificates 20141019 ii python-ndg-httpsclient 0.3.2-1 ii python-openssl 0.14-1 ii python-pyasn1 0.1.7-1 python-urllib3 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
