RHBA-2009:1351 - Bug Fix Advisory

Topic

An updated m2crypto package that fixes various bugs is now available.

Description

The m2crypto package contains a Python module that makes it possible to
call OpenSSL functions from Python scripts.

Bugs fixed in this updated package include:

• closing a file object returned by m2urllib2 did not immediately close the

underlying network connection. This could cause a process to run out of
file handles. Closing a file object now closes the sockets associated with
it and avoids leaking file descriptors. (BZ#460692)

• the Python global interpreter lock was not released by blocking m2crypto

functions, making it impossible to use m2crypto concurrently in a
multi-threaded program. M2Crypto now uses the thread support in SWIG for
functions that are likely to block. M2Crypto can now accept additional
connections even when a different thread is still waiting for incoming
data. (BZ#472690)

• m2urllib2 used absolute URIs in HTTP requests instead of using only the

selector part of the URI, which is not supported by some HTTP servers. Now,
m2urllib2 makes requests with only the selector part of the URI, ensuring
that the request is understood even by HTTP servers that do not support
requests made with the absolute URI. (BZ#491674)

• the M2Crypto SSL certificate checker incorrectly rejected

certificates with a subjectAltName extension that did not contain a host
name. M2Crypto now uses the certificate subject field instead of
subjectAltName if subjectAltName does not contain a host name. (BZ#504060)

• the OpenSSL locking callback in M2Crypto did not block on a lock when the

lock was held by another thread. This could cause data corruption in
multi-threaded applications. The locking callback now functions correctly,
regardless of which thread holds the lock. (BZ#507903)

Users are advised to upgrade to this updated m2crypto package, which
resolves these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 460692 - m2crypto leaks fds into GC
• BZ - 472690 - m2crypto blocks python thread
• BZ - 491674 - Use relative paths in HTTP requests via m2urllib2
• BZ - 504060 - m2crypto does not handle subjectAltName having non DNS:xxx entries.
• BZ - 507903 - m2crypto's OpenSSL locking callback does a sem_trywait() instead of sem_wait ()

CVEs

(none)

References

(none)