Hi Cory and Kevin! The Ubuntu Security team (most of the work was done by Marc Deslauriers) has actively fixed individual Python packages in Ubuntu's main archive pocket that are vulnerable to certificate verification flaws prior to the Python 2.7.9 change. While many packages were already doing proper certificate verification, we updated a number that were not:
http://www.ubuntu.com/usn/usn-1265-1/ http://www.ubuntu.com/usn/usn-1270-1/ http://www.ubuntu.com/usn/usn-1352-1/ http://www.ubuntu.com/usn/usn-1375-1/ http://www.ubuntu.com/usn/usn-1381-1/ http://www.ubuntu.com/usn/usn-1464-1/ http://www.ubuntu.com/usn/usn-1465-1/ http://www.ubuntu.com/usn/usn-1465-2/ http://www.ubuntu.com/usn/usn-1547-1/ You're correct that code living outside of Ubuntu's archive must do the right thing or be updated to a release that does do the right thing by the system administrator. We also keep in mind that there are many one- off scripts, cron jobs, etc., connecting to a server with a self-signed cert, that would break due to such a change. We have to walk a fine line between providing security updates at all costs and potentially breaking production machines with those updates. While we try our best to err on the side of security whenever possible, it did not make sense to us in this instance. However, we are now looking into ways for our users to opt-in to full certificate verification using our python2.7 packages. While enabling full certificate verification by default, as performed by Python 2.7.9, in a stable Ubuntu release is not a possibility due to the issues I mentioned above, there are some other options on the table. We will look at backporting the appropriate 2.7.9 patches to our python2.7 package in 14.04 and 12.04 or possibly bump those package versions up to 2.7.9. If either of those options are possible, we'll employ the strategy proposed by PEP 493 where the full certification verification is disabled by default but configurable at a system-wide level through /etc/python /cert-verification.cfg. This opt-in approach should allow the owners of systems to enable the changes from PEP 476 once they know their applications, scripts, cron jobs, etc., will continue to work correctly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python-defaults in Ubuntu. https://bugs.launchpad.net/bugs/1401322 Title: Upgrade to Python 2.7.9 Status in python-defaults package in Ubuntu: Confirmed Bug description: Python 2.7.9 contains numerous security improvements for Python. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1401322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
