Alex Gaynor added the comment:
Hah! I didn't realize you meant *logging.handlers.HTTPHandler*, I thought you
meant *urllib.request.HTTPHandler*.
--
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
Quick pass at a patch. No docs, and it should proabbly be an error to pass
context with secure=False.
--
keywords: +needs review, patch
Added file: http://bugs.python.org/file37124/issue22788.diff
___
Python tracker
Alex Gaynor added the comment:
FWIW, I'm not convinced the pure python fallback code is sufficient either;
time.time() doesn't have the necessary resolution AFAIK? Also clock_seq is
generated using the random module's messerne twister, not SystemRandom().
---
Alex Gaynor added the comment:
FWIW, that code is all significantly simplified by the patch in
http://bugs.python.org/issue22559
--
___
Python tracker
<http://bugs.python.org/issue22
Changes by Alex Gaynor :
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
In a post-pep476 world, this method will be used on Python2.7, so it would be
good to backport now.
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Attached patch backports this to 2.7.
--
Added file: http://bugs.python.org/file37261/issue22417.diff
___
Python tracker
<http://bugs.python.org/issue22
New submission from Alex Gaynor:
With the pep476 backport, we need a way to pass a context argument to urrlib
--
components: Library (Lib)
messages: 231588
nosy: alex, benjamin.peterson, dstufft
priority: normal
severity: normal
status: open
title: Expose an SSLContext parameter on
Changes by Alex Gaynor :
--
keywords: +patch
Added file: http://bugs.python.org/file37263/issue22927.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
FWIW, Debian expiremental appears to be using a different #define for this.
Here's how we handled it in pyca/cryptography:
https://github.com/pyca/cryptography/commit/04a3f1f2c4086c0d7162b6dd79b6332d9115b2c0
--
nosy: +alex, christian.heimes, ds
Alex Gaynor added the comment:
Good to know, thanks.
--
___
Python tracker
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe:
Changes by Alex Gaynor :
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
versions: +Python 2.7
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Attached is a patch for 2.7
--
keywords: +patch
Added file: http://bugs.python.org/file37321/issue22960.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Attached patch fixes it for Python3.
--
Added file: http://bugs.python.org/file37323/issue22960-3.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
This will cause it to not validate in some cases where it currently is
validating? That seems like a regression to me.
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
I agree this is a bug, but I believe the correct output is:
no yes yes yes yes yes
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue22
New submission from Alex Gaynor:
For almost any conceivable application, os.urandom is a preferable way to
access a CSPRNG, and is less error prone, the docs should point this out.
--
assignee: docs@python
components: Documentation
files: rand.diff
keywords: patch
messages: 232436
nosy
Alex Gaynor added the comment:
As a part of this, we might want to consider changing the implementation to not
compile the SANs into a regular expression. Constantly compiling new regexs can
cause churn in the `re` cache, which can degrade performance -- also, it's
probably much worse on
Alex Gaynor added the comment:
Python 2.7.9 enabled certificate validation by default for HTTP connections,
see PEP476.
The server you're connecting to does not have a certificate that is trusted by
your client. pysphere should configure SSL appropriately for this use case.
--
New submission from Alex Gaynor:
Whether __builtins__ is a module or a dict is undefined in CPython. Use the
reliably well defined `import __builtin__` instead.
--
components: Library (Lib)
files: mock-backport.diff
keywords: patch
messages: 232838
nosy: alex, benjamin.peterson
New submission from Alex Gaynor:
This makes the urandom codebase easier to maintain by allowing porting patches
between 2.7 and 3.x easier; it also improves support for the OpenBSD platform.
Support for porting patches is not just a theoretical concern, it's likely that
Linux's
Changes by Alex Gaynor :
Added file: http://bugs.python.org/file37543/issue23115.diff
___
Python tracker
<http://bugs.python.org/issue23115>
___
___
Python-bugs-list m
New submission from Alex Gaynor:
In addition to the security concerns, it is now a violation of RFC7465 to offer
a cipher suite with RC4 in a ClientHello: https://tools.ietf.org/html/rfc7465
--
components: Library (Lib)
files: rc4.diff
keywords: patch
messages: 236202
nosy: alex
New submission from Alex Gaynor:
https://www.openssl.org/news/secadv_20150611.txt
--
components: Library (Lib)
keywords: security_issue
messages: 245173
nosy: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, paul.moore,
pitrou, steve.dower, tim.golden, zach.ware
priority
New submission from Alex Gaynor:
Right now uuid4 can be implemented one of 3 ways:
- If there's a libuuid (and it's not OS X's) it uses that.
- Fallback to os.urandom
- If that raises an exception, fall back to the random module
I propose to simplify this to _just_ use os
Alex Gaynor added the comment:
(Note that the speed difference would be even bigger on a recent python, 2.7.3
was before the file descriptor was cached for os.urandom)
--
___
Python tracker
<http://bugs.python.org/issue25
New submission from Alex Gaynor:
SSLv3 is broken, both _create_unverified_context and create_default_context
turn it off, but we should make all contexts turn it off, like we do for SSLv2.
A patch is attached.
--
components: Library (Lib)
files: sslv3.diff
keywords: needs review
Alex Gaynor added the comment:
Oops, there were a few failing tests on that patch. New one is green
--
Added file: http://bugs.python.org/file40927/sslv3.diff
___
Python tracker
<http://bugs.python.org/issue25
New submission from Alex Gaynor:
Run the following code:
import socket
import ssl
import sys
def main():
ctx = ssl.create_default_context()
s = socket.create_connection(('www.bing.com', 443))
s = ctx.wrap_socket(s, server_hostname='www.bing.com&#
Changes by Alex Gaynor :
--
nosy: +christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue25569>
___
___
Alex Gaynor added the comment:
A probably source of the leak is here:
https://github.com/python/cpython/blob/master/Modules/_ssl.c#L1073-L1076 `dps`
is never freed. (This is with OpenSSL 0.9.8zg)
--
___
Python tracker
<http://bugs.python.
Alex Gaynor added the comment:
I think you want sk_DIST_POINT_free actually.
--
___
Python tracker
<http://bugs.python.org/issue25569>
___
___
Python-bugs-list m
Alex Gaynor added the comment:
Tests pass and the original script runs without a leak using this patch. It
could probably be shorter if we converted from local returns to `goto fail` or
something, but I don't really have an opinion.
--
___
P
New submission from Alex Gaynor:
Test.
Put this certificate in a file:
-BEGIN CERTIFICATE-
MIICjTCCAXWgAwIBAgIBADANBgkqhkiG9w0BAQsFADAAMB4XDTE1MTEwNzE1MTAw
NVoXDTE1MTEwNzE1MTAwNVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKiZ3rzOM1m6toThRtkwgZzjuVVdapwU63yoXmp91f14pfO1z5XIkVAP1Sz
Alex Gaynor added the comment:
Does this issue still occur on default?
https://hg.python.org/cpython/rev/d80954d941c7
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/issue25
Alex Gaynor added the comment:
fixed
--
status: open -> closed
___
Python tracker
<http://bugs.python.org/issue25569>
___
___
Python-bugs-list mailing list
Un
Changes by Alex Gaynor :
--
nosy: +benjamin.peterson
___
Python tracker
<http://bugs.python.org/issue25578>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alex Gaynor added the comment:
I agree the tests shouldn't rely on a legacy domain like svn.python.org
In the mean time Ernest is working on getting a valid cert set up.
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
There's good news and bad news, which do you want first?
Good news, great!
svn.python.org now has a certificate that's not expired, and it's even trusted
by major trust stores.
Bad news?
The tests rely on the cert for svn.python.org specifica
New submission from Alex Gaynor:
https://docs.python.org/2/library/crypto.html
https://docs.python.org/3/library/crypto.html
This language has a number of issues:
- Crypto isn't just for "Hardcore cypherpunks" anymore, it's a necessary
component of a great many software
Changes by Alex Gaynor :
--
title: Language on the "Cryptographic Services" is out of date -> Language on
the "Cryptographic Services" documentation page is out of date
___
Python tracker
<http://
New submission from Alex Gaynor:
https://hg.python.org/cpython/file/default/Doc/library/importlib.rst#l1124
the spacing is wrong, it should be:
.. versionchanged:: 3.5
--
assignee: docs@python
components: Documentation
messages: 259263
nosy: alex, docs@python, eric.araujo
New submission from Alex Gaynor:
https://openssl.org/news/secadv/20160301.txt
--
keywords: security_issue
messages: 261052
nosy: alex, paul.moore, steve.dower, tim.golden, zach.ware
priority: critical
severity: normal
status: open
title: Upgrade OpenSSL shipped with python installers
Changes by Alex Gaynor :
--
nosy: +christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue26465>
___
___
Alex Gaynor added the comment:
Right now all the hashlib algorithms are backed by OpenSSL. OpenSSL 1.1.0 will
have blake2, so perhaps the right move is just to wait for that to drop in a
few weeks?
Sadly many users with old OpenSSL's still won't have blake2, but pretty quickly
Wind
New submission from Alex Gaynor:
https://www.openssl.org/news/secadv/20160503.txt
--
keywords: security_issue
messages: 264731
nosy: alex, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden,
zach.ware
priority: normal
severity: normal
status: open
title: Upgrade installers
Changes by Alex Gaynor :
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/issue23515>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alex Gaynor added the comment:
I'm attaching a patch that does what Donald suggests.
--
keywords: +patch
Added file: http://bugs.python.org/file38287/store.diff
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
It looks like the existing `verify_flags` param is actually the same thing, so
we can just use it. That said, I think this should be on by default, I can't
think of a scenario you don't want it.
--
___
Pyth
Alex Gaynor added the comment:
This seems like it probably will report something useless (and ultimately be
disabled) on PyPy, where runs before and after the JIT will display significant
variance.
--
nosy: +alex, arigo, fijall
___
Python tracker
Alex Gaynor added the comment:
+1 on this -- for pyca/cryptography we're also making this leap in our next
release.
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
I believe RC4 will still be used under 2.7.9 on clients, this is changed for
2.7.10
--
___
Python tracker
<http://bugs.python.org/issue23
New submission from Alex Gaynor:
On Thursday OpenSSL will disclose some security issues and issue new releases:
https://mta.openssl.org/pipermail/openssl-announce/2015-March/20.html
When that happens, Python's that bundle an OpenSSL should be upgraded.
--
keywords: security_
New submission from Alex Gaynor:
The spec is available at https://http2.github.io/
--
components: Library (Lib)
messages: 239424
nosy: alex
priority: normal
severity: normal
status: open
title: http package should support HTTP/2
___
Python tracker
Alex Gaynor added the comment:
I'm concerned the _ssl changes will make security backports significantly more
difficult.
--
___
Python tracker
<http://bugs.python.org/is
New submission from Alex Gaynor:
>>> pickle.loads(b'(o.\x7f.')
Traceback (most recent call last):
File "", line 1, in
SystemError: Objects/tupleobject.c:71: bad argument to internal function
(Or the equivalent using cPickle on Python 2)
Found using h
Alex Gaynor added the comment:
Yes, it can execute arbitrary code, but I think we should prefer raising
"specific" error messages, instead of failing inside tuple details.
--
___
Python tracker
<http://bugs.python.o
Changes by Alex Gaynor :
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue24
Changes by Alex Gaynor :
--
nosy: +dstufft, ncoghlan
___
Python tracker
<http://bugs.python.org/issue24158>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alex Gaynor added the comment:
Bug in the error message "n must be a multiple of 2." it should say "n must be
a power of 2."
--
nosy: +alex
___
Python tracker
<http://bug
Alex Gaynor added the comment:
PEP466 includes hashlib.pbkdf2_hmac(). Any reasoning that includes that surely
is applicable to scrypt as well.
--
___
Python tracker
<http://bugs.python.org/issue27
Alex Gaynor added the comment:
OpenSSL supports scrypt
On Sep 7, 2016 12:28 PM, "Benjamin Peterson" wrote:
>
> Benjamin Peterson added the comment:
>
> Why are we adding scrypt and not argon2 anyway?
>
> On Wed, Sep 7, 2016, at 03:25, Christian Heimes wrote:
> &
New submission from Alex Gaynor:
https://www.openssl.org/news/secadv/20160922.txt
--
assignee: christian.heimes
components: Library (Lib), SSL
keywords: security_issue
messages: 277226
nosy: alex, christian.heimes, dstufft, janssen, ned.deily, paul.moore,
ronaldoussoren, steve.dower
Changes by Alex Gaynor :
--
keywords: +security_issue
___
Python tracker
<http://bugs.python.org/issue28275>
___
___
Python-bugs-list mailing list
Unsubscribe:
Changes by Alex Gaynor :
--
nosy: +nadeem.vawda
___
Python tracker
<http://bugs.python.org/issue28275>
___
___
Python-bugs-list mailing list
Unsubscribe:
401 - 465 of 465 matches
Mail list logo
