[Python-modules-team] Bug#766296: python-urllib3: shouldn't it depend on python-ndg-httpsclient, python-openssl and python-pyasn1

Christoph Anton Mitterer calestyo at scientia.net
Wed Oct 22 01:00:30 UTC 2014

Package: python-urllib3
Version: 1.9.1-2
Severity: important
Tags: security


I've read that worrysome entry in the changelog.Debian:
>    - Add python-ndg-httpsclient, python-openssl and python-pyasn1 into
>      python-urllib3's Recomends to ensure that SNI works as expected and to
>      prevent CRIME attack

So apparently you say, that without python-ndg-httpsclient, python-openssl
and python-pyasn1   python-urllib3 is vulnerable to at least CRIME, right?

But shouldn't it then Depend on all of those? Or is it guaranteed that
all code that might ever use python-urllib3, will check for these dependencies
whenever SSL/TLS is used, and therefore be on the safe side?.

I mean if e.g. openssl would dynamically load libssl and silently default to
using aNULL and eNULL ciphersuites only, when it's not present,... one would
probably also say "libssl is mandatory, since otherwise security isn't


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-urllib3 depends on:
ii  python-six  1.8.0-1
pn  python:any  <none>

Versions of packages python-urllib3 recommends:
ii  ca-certificates         20141019
ii  python-ndg-httpsclient  0.3.2-1
ii  python-openssl          0.14-1
ii  python-pyasn1           0.1.7-1

python-urllib3 suggests no packages.

-- no debconf information

More information about the Python-modules-team mailing list