Note that the posted patch should not be pushed but rather applied in downstream packages. E.g in Fedora rawhide when 4.3 will be released.

After the release this ticket is supposed to be cloned to Fedora rawhide.

Lowering priority given that it is not a blocker for the actual release but rather for downstream package.

The Christian's patch: http://www.redhat.com/archives/freeipa-devel/2015-December/msg00234.html for master branch.

Moving, 4.3 was released.

4.3.2 was released, moving to 4.3.3

Lowering priority, this is handled in downstream patches.

The problem should be fixed by python-cryptography >= 1.2 with python-cffi >= 1.4.1, too.

• python-cryptography >= 1.2 is in F24 and F25 since 2016-01-09
• python-cffi >= 1.4.1 is in F23, F24, F25 since 2016-01-07

So it looks like we can close this ticket. And remove the downstream patch which is mentioned in https://fedorahosted.org/freeipa/ticket/5442#comment:7

But I wonder, why https://bugzilla.redhat.com/show_bug.cgi?id=1277224 is still open.

The execmem denial is only fixed for recent versions of cryptography with a recent version of cffi. PyOpenSSL still uses cffi's old closure API for callback which requires dynamic code creation. It would take a lot of effort to migrate PyOpenSSL to static callbacks.

4.3.x EOL