-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
None
-
None
-
None
-
ZStream
-
rhel-sst-pt-python-ruby-nodejs
-
ssg_core_services
-
5
-
False
-
-
None
-
None
-
Approved Blocker
-
Pass
-
None
-
None
Python in FIPS mode disables hash-based .pyc invalidation mode due to using a non-FIPS approved digest, siphash13.
For images or systems where the SOURCE_DATE_EPOCH variable is set automatically, Python will change the .pyc invalidation mode to hash-based, instead of the default time-based. As a result, if the system is then changed to FIPS mode or the images are deployed in FIPS environments, Python will fail with a traceback when trying to import the already generated .pyc files.
However since siphash is used just for hashing and not in any security context, it is permissible to allow those .pyc files to be imported.
We'll need to remove the part of the FIPS patch that disables the hash-based .pyc invalidation mode in FIPS mode.
- clones
-
RHEL-40750 python3.9: Allow hash-based .pyc invalidation mode when in FIPS mode [rhel-9.5.0]
- Closed
- links to
-
RHBA-2024:138118 updated ubi8/python-39 container image
-
RHSA-2024:137034 python39:3.9 and python39-devel:3.9 security update
- mentioned on