Created on 2013-03-14 22:10 by pitrou, last changed 2013-05-12 11:24 by pitrou. This issue is now closed.
| Messages (13) | |||
|---|---|---|---|
| msg184199 - (view) | Author: Antoine Pitrou (pitrou) *  |
Date: 2013-03-14 22:10 | |
OpenSSL recently issued a security advisory (*). Our bundled OpenSSL versions seem to be vulnerable. They should be updated to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y depending on the version. (*) http://www.openssl.org/news/secadv_20130205.txt Apologies if this has already been handled and I've misunderstood Tools/buildbot/external-common.bat. |
|||
| msg184204 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2013-03-14 22:43 | |
No, it hasn't been handled. I'll look into it next week. |
|||
| msg184920 - (view) | Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2013-03-21 22:59 | |
Martin, is something that needs to be worked on before the rc this weekend? |
|||
| msg184966 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2013-03-22 14:08 | |
Indeed. I hope to get to it later this evening. |
|||
| msg185006 - (view) | Author: Roundup Robot (python-dev) | Date: 2013-03-22 21:02 | |
New changeset 3d76dbbbb0cc by Martin v. Loewis in branch '2.7': Issue #17425: Build against openssl 0.9.8y on Windows. http://hg.python.org/cpython/rev/3d76dbbbb0cc |
|||
| msg185008 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2013-03-22 21:09 | |
0.9.8y seems to work fine on 2.7; I'll do the other ones later. |
|||
| msg185009 - (view) | Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2013-03-22 21:10 | |
Thank you! |
|||
| msg185159 - (view) | Author: Roundup Robot (python-dev) | Date: 2013-03-24 21:12 | |
New changeset 0fb7db2f9b5e by Martin v. Loewis in branch '3.2': Issue #17425: Build with openssl 1.0.0k on Windows. http://hg.python.org/cpython/rev/0fb7db2f9b5e New changeset 8051e6ff97e2 by Martin v. Loewis in branch '3.3': #17425: null merge 3.2 http://hg.python.org/cpython/rev/8051e6ff97e2 |
|||
| msg185160 - (view) | Author: Roundup Robot (python-dev) | Date: 2013-03-24 21:53 | |
New changeset 840a90e8cefd by Martin v. Löwis in branch '3.3': Issue #17425: Build with openssl 1.0.1d on Windows. http://hg.python.org/cpython/rev/840a90e8cefd New changeset a626a32bd42d by Martin v. Löwis in branch 'default': #17425: merge 3.3 http://hg.python.org/cpython/rev/a626a32bd42d |
|||
| msg185161 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2013-03-24 21:53 | |
This is now fixed. |
|||
| msg185504 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-29 17:42 | |
Sorry to reopen :-). It seems OpenSSL 1.0.1d was a kind of "brown paper bag" release, they've released 1.0.1e since (some of test_ssl can fail on 1.0.1d and succeed on 1.0.1e, as experienced on my Linux setup; the Windows buildbots also exhibit similar failures).
Following is their description of the fix:
“Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
supporting platforms or when small records were transferred.
[Andy Polyakov, Steve Henson]”
|
|||
| msg188020 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2013-04-28 20:48 | |
Please don't reopen issues. If there is a bug in the current setup, please submit a new reporting indicating what the problem is. |
|||
| msg189019 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2013-05-12 11:24 | |
Opened #17962 to tackle the broken OpenSSL issue. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2013-05-12 11:24:40 | pitrou | set | status: open -> closed messages: + msg189019 stage: resolved |
| 2013-04-28 20:48:31 | loewis | set | messages: + msg188020 |
| 2013-04-28 19:27:28 | georg.brandl | set | versions: + Python 3.3 |
| 2013-03-29 17:43:00 | pitrou | set | status: closed -> open messages: + msg185504 versions: - Python 3.3 |
| 2013-03-24 21:53:43 | loewis | set | status: open -> closed resolution: fixed messages: + msg185161 |
| 2013-03-24 21:53:11 | python-dev | set | messages: + msg185160 |
| 2013-03-24 21:17:15 | loewis | set | versions: - Python 3.2 |
| 2013-03-24 21:12:40 | python-dev | set | messages: + msg185159 |
| 2013-03-23 14:46:35 | benjamin.peterson | set | versions: - Python 2.7 |
| 2013-03-22 21:10:23 | benjamin.peterson | set | messages: + msg185009 |
| 2013-03-22 21:09:37 | loewis | set | messages: + msg185008 |
| 2013-03-22 21:02:11 | python-dev | set | nosy:
+ python-dev messages: + msg185006 |
| 2013-03-22 14:08:20 | loewis | set | messages: + msg184966 |
| 2013-03-21 22:59:45 | benjamin.peterson | set | messages: + msg184920 |
| 2013-03-14 22:43:08 | loewis | set | messages: + msg184204 |
| 2013-03-14 22:10:17 | pitrou | create | |