classification
Title: Update OpenSSL versions in Windows builds
Type: security Stage: resolved
Components: Build, Windows Versions: Python 3.4, Python 3.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: benjamin.peterson, christian.heimes, georg.brandl, larry, loewis, pitrou, python-dev
Priority: release blocker Keywords:

Created on 2013-03-14 22:10 by pitrou, last changed 2013-05-12 11:24 by pitrou. This issue is now closed.

Messages (13)
msg184199 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-14 22:10
OpenSSL recently issued a security advisory (*). Our bundled OpenSSL versions seem to be vulnerable. They should be updated to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y depending on the version.

(*) http://www.openssl.org/news/secadv_20130205.txt

Apologies if this has already been handled and I've misunderstood Tools/buildbot/external-common.bat.
msg184204 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2013-03-14 22:43
No, it hasn't been handled. I'll look into it next week.
msg184920 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2013-03-21 22:59
Martin, is something that needs to be worked on before the rc this weekend?
msg184966 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2013-03-22 14:08
Indeed. I hope to get to it later this evening.
msg185006 - (view) Author: Roundup Robot (python-dev) Date: 2013-03-22 21:02
New changeset 3d76dbbbb0cc by Martin v. Loewis in branch '2.7':
Issue #17425: Build against openssl 0.9.8y on Windows.
http://hg.python.org/cpython/rev/3d76dbbbb0cc
msg185008 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2013-03-22 21:09
0.9.8y seems to work fine on 2.7; I'll do the other ones later.
msg185009 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2013-03-22 21:10
Thank you!
msg185159 - (view) Author: Roundup Robot (python-dev) Date: 2013-03-24 21:12
New changeset 0fb7db2f9b5e by Martin v. Loewis in branch '3.2':
Issue #17425: Build with openssl 1.0.0k on Windows.
http://hg.python.org/cpython/rev/0fb7db2f9b5e

New changeset 8051e6ff97e2 by Martin v. Loewis in branch '3.3':
#17425: null merge 3.2
http://hg.python.org/cpython/rev/8051e6ff97e2
msg185160 - (view) Author: Roundup Robot (python-dev) Date: 2013-03-24 21:53
New changeset 840a90e8cefd by Martin v. Löwis in branch '3.3':
Issue #17425: Build with openssl 1.0.1d on Windows.
http://hg.python.org/cpython/rev/840a90e8cefd

New changeset a626a32bd42d by Martin v. Löwis in branch 'default':
#17425: merge 3.3
http://hg.python.org/cpython/rev/a626a32bd42d
msg185161 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2013-03-24 21:53
This is now fixed.
msg185504 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-03-29 17:42
Sorry to reopen :-). It seems OpenSSL 1.0.1d was a kind of "brown paper bag" release, they've released 1.0.1e since (some of test_ssl can fail on 1.0.1d and succeed on 1.0.1e, as experienced on my Linux setup; the Windows buildbots also exhibit similar failures).

Following is their description of the fix:

“Changes between 1.0.1d and 1.0.1e [11 Feb 2013]

  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]”
msg188020 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2013-04-28 20:48
Please don't reopen issues. If there is a bug in the current setup, please submit a new reporting indicating what the problem is.
msg189019 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-05-12 11:24
Opened #17962 to tackle the broken OpenSSL issue.
History
Date User Action Args
2013-05-12 11:24:40pitrousetstatus: open -> closed

messages: + msg189019
stage: resolved
2013-04-28 20:48:31loewissetmessages: + msg188020
2013-04-28 19:27:28georg.brandlsetversions: + Python 3.3
2013-03-29 17:43:00pitrousetstatus: closed -> open

messages: + msg185504
versions: - Python 3.3
2013-03-24 21:53:43loewissetstatus: open -> closed
resolution: fixed
messages: + msg185161
2013-03-24 21:53:11python-devsetmessages: + msg185160
2013-03-24 21:17:15loewissetversions: - Python 3.2
2013-03-24 21:12:40python-devsetmessages: + msg185159
2013-03-23 14:46:35benjamin.petersonsetversions: - Python 2.7
2013-03-22 21:10:23benjamin.petersonsetmessages: + msg185009
2013-03-22 21:09:37loewissetmessages: + msg185008
2013-03-22 21:02:11python-devsetnosy: + python-dev
messages: + msg185006
2013-03-22 14:08:20loewissetmessages: + msg184966
2013-03-21 22:59:45benjamin.petersonsetmessages: + msg184920
2013-03-14 22:43:08loewissetmessages: + msg184204
2013-03-14 22:10:17pitroucreate