-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.2.0.z, rhel-9.4.z, rhel-9.5
-
None
-
python3.9-3.9.19-2.el9
-
None
-
Low
-
ZStream
-
sst_pt_python_ruby_nodejs
-
ssg_core_services
-
5
-
False
-
-
None
-
None
-
Approved Blocker
-
Pass
-
None
-
None
Python in FIPS mode disables hash-based .pyc invalidation mode due to using a non-FIPS approved digest, siphash13.
For images or systems where the SOURCE_DATE_EPOCH variable is set automatically, Python will change the .pyc invalidation mode to hash-based, instead of the default time-based. As a result, if the system is then changed to FIPS mode or the images are deployed in FIPS environments, Python will fail with a traceback when trying to import the already generated .pyc files.
However since siphash is used just for hashing and not in any security context, it is permissible to allow those .pyc files to be imported.
We'll need to remove the part of the FIPS patch that disables the hash-based .pyc invalidation mode in FIPS mode.
- is cloned by
-
RHEL-40769 python3.12: Allow hash-based .pyc invalidation mode when in FIPS mode[rhel-10]
- Release Pending
-
RHEL-40786 python39: 3.9: Allow hash-based .pyc invalidation mode when in FIPS mode [rhel-8.10.z]
- Closed
- links to
-
RHSA-2024:133318 python3.9 bug fix and enhancement update