2016386 – The RPM requires of the current awscli package prevent a security update of python3-rsa.

Bug 2016386 - The RPM requires of the current awscli package prevent a security update of python3-rsa.

Summary: The RPM requires of the current awscli package prevent a security update of p...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	awscli
Sub Component:
Version:	33
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	David Duncan
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-21 12:55 UTC by Christian Krause
Modified:	2021-11-11 01:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:	awscli-1.21.4-1.fc36 awscli-1.19.100-2.fc34 awscli-1.21.7-2.fc35 awscli-1.18.223-2.fc33
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-11 00:54:45 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1895779	1	None	None	None	2021-10-21 15:13:36 UTC

Description Christian Krause 2021-10-21 12:55:36 UTC

Description of problem:
The RPM requires of the current awscli package prevent a security update of python3-rsa.

https://bodhi.fedoraproject.org/updates/FEDORA-2021-c1fef03e71


Version-Release number of selected component (if applicable):
python3-rsa-4.6-2.fc33.noarch
awscli-1.18.223-1.fc33.noarch



How reproducible:
100%

Steps to Reproduce:
1. dnf update

Actual results:

 Problem: package awscli-1.18.223-1.fc33.noarch requires (python3.9dist(rsa) <= 4.7 with python3.9dist(rsa) >= 3.1.2), but none of the providers can be installed
  - cannot install both python3-rsa-4.7.2-1.fc33.noarch and python3-rsa-4.6-2.fc33.noarch
  - cannot install the best update candidate for package python3-rsa-4.6-2.fc33.noarch
  - cannot install the best update candidate for package awscli-1.18.223-1.fc33.noarch
==============================================================================================================================================================================================================================================
 Package                                                    Architecture                                          Version                                                        Repository                                              Size
==============================================================================================================================================================================================================================================
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 python3-rsa                                                noarch                                                4.7.2-1.fc33                                                   updates                                                 58 k

Transaction Summary
==============================================================================================================================================================================================================================================
Skip  1 Package


Expected results:
- update should succeed

Additional info:
rpm -q --requires awscli |grep rsa
(python3.9dist(rsa) <= 4.7 with python3.9dist(rsa) >= 3.1.2)

Comment 1 David Duncan 2021-10-22 13:34:08 UTC

working on a replacement RPM package here, but will review this and make sure it is cleared.

Comment 2 David Duncan 2021-10-22 13:34:28 UTC

working on a replacement RPM package here, but will review this and make sure it is cleared.

Comment 3 Gwyn Ciesla 2021-10-22 13:35:48 UTC

Thanks for letting me know, I was going to get to this today and I'm glad I won't step on your toes.

Comment 4 David Duncan 2021-10-26 19:56:51 UTC

@gwync just an fyi, you do such excellent work, I will always defer. 

I worked with the upstream devel team yesterday and they are looking at working the python-rsa out of the dependencies in favor of python-cryptography. 

I am also working on completing the new awscli-2 and that removes the dependency altogether.

Comment 5 Gwyn Ciesla 2021-10-27 16:49:34 UTC

@davdunc You're too kind. :)

I'll update the sed statement to allow up to rsa 4.8 in the .4 release, coming momentarily.

Comment 6 Fedora Update System 2021-10-27 17:36:58 UTC

FEDORA-2021-032f3ed942 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 Christian Krause 2021-10-30 19:26:06 UTC

@gwync , unfortunately, the issue is still present in F33 (security update of python3-rsa is blocked by awscli) and I haven't seen any commits or builds for F33/F34.

Please could you update awscli for F33 (and probably F34) as well? If needed, I can certainly help out here and apply the same patch to the F33 and F34 branch in order to relax the BRs. Please let me know if I can/should do this.

Comment 8 Gwyn Ciesla 2021-11-02 14:02:34 UTC

Apologies, getting those out now.

Comment 9 Fedora Update System 2021-11-02 15:07:36 UTC

FEDORA-2021-f916f64e5e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-f916f64e5e

Comment 10 Fedora Update System 2021-11-02 15:10:26 UTC

FEDORA-2021-bbe47cbab6 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-bbe47cbab6

Comment 11 Fedora Update System 2021-11-02 15:10:27 UTC

FEDORA-2021-89619b6feb has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-89619b6feb

Comment 12 Fedora Update System 2021-11-03 01:36:40 UTC

FEDORA-2021-f916f64e5e has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-f916f64e5e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-f916f64e5e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2021-11-03 02:00:51 UTC

FEDORA-2021-89619b6feb has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-89619b6feb`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-89619b6feb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2021-11-03 02:26:11 UTC

FEDORA-2021-bbe47cbab6 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-bbe47cbab6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-bbe47cbab6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 15 Ben Cotton 2021-11-04 13:37:35 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 16 Ben Cotton 2021-11-04 14:07:12 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 17 Ben Cotton 2021-11-04 15:04:10 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 18 David Duncan 2021-11-04 18:53:57 UTC

looking at the dependency declaration: https://github.com/aws/aws-cli/blob/develop/setup.cfg#L11 it’s ceiling is 4.8 and the latest release appears to be 4.7.2

Comment 19 Fedora Update System 2021-11-11 00:54:45 UTC

FEDORA-2021-89619b6feb has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Fedora Update System 2021-11-11 01:18:43 UTC

FEDORA-2021-f916f64e5e has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Fedora Update System 2021-11-11 01:22:37 UTC

FEDORA-2021-bbe47cbab6 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.