➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2014-06-05 17:29 by lambacck, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Messages (12) | |||
|---|---|---|---|
| msg219828 - (view) | Author: Chris Lambacher (lambacck) * | Date: 2014-06-05 17:29 | |
http://www.openssl.org/news/secadv_20140605.txt All client versions of OpenSSL are vulnerable so all Windows builds of Python are vulnerable to MITM attacks when connecting to vulnerable servers. |
|||
| msg219829 - (view) | Author: Zachary Ware (zach.ware) *  |
Date: 2014-06-05 18:33 | |
2.7, 3.4, and default should be updated; should we do anything for 3.1-3.3 since they will not get any further installers? |
|||
| msg219847 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2014-06-05 21:07 | |
This isn't an issue for releases in security-fix mode (3.1, 3.2, 3.3) since there are not changes to Python involved and we do not provide binary installers for releases in that mode. |
|||
| msg219848 - (view) | Author: Donald Stufft (dstufft) * |
Date: 2014-06-05 21:11 | |
Might it make sense to special case 3.2 and 3.3 since the last releases of those were not security releases and the security issue is with a bundled library? |
|||
| msg219849 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2014-06-05 21:15 | |
We can ask for an opinion from the 3.2 and 3.3 release managers (adding Georg) but I doubt that anyone is going to be interested in producing Windows binary installers for those release plus we haven't done this for 3.2.x for recent previous OpenSSL CVE's, have we? |
|||
| msg219862 - (view) | Author: Roundup Robot (python-dev)  |
Date: 2014-06-06 06:28 | |
New changeset 3dfdcc97250f by Zachary Ware in branch '2.7': Issue #21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h http://hg.python.org/cpython/rev/3dfdcc97250f New changeset 79f3d25caac3 by Zachary Ware in branch '3.4': Issue #21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h http://hg.python.org/cpython/rev/79f3d25caac3 New changeset a32ced15b883 by Zachary Ware in branch 'default': Issue #21671: Merge with 3.4 http://hg.python.org/cpython/rev/a32ced15b883 |
|||
| msg219865 - (view) | Author: Georg Brandl (georg.brandl) * |
Date: 2014-06-06 06:55 | |
Martin, would you make installers for a new 3.2 and 3.3 release? |
|||
| msg219871 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2014-06-06 11:22 | |
I'm unsure. I'd rather stick to the established policy. If there are reasons to change the policy, I'd like to know what they are and what a new policy should look like, instead of making a singular exception from the policy. For the record, the reason *for* the policy is that it reduces maintenance burden; I'm unsure whether I still have the environment to build Python 3.2, for example. |
|||
| msg219960 - (view) | Author: Georg Brandl (georg.brandl) * |
Date: 2014-06-07 18:55 | |
Well, it's entirely logical to follow our own policies :) |
|||
| msg220043 - (view) | Author: Zachary Ware (zach.ware) * |
Date: 2014-06-08 18:57 | |
So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close. |
|||
| msg220045 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2014-06-08 19:02 | |
The only reason to do it is to help out those who build from source, which I suspect is an incredibly small group on Windows. We'd also be signing up to keep doing it, and implying that it's been tested. I say don't bother. ________________________________ From: Zachary Ware<mailto:report@bugs.python.org> Sent: 6/8/2014 11:57 To: Steve Dower<mailto:Steve.Dower@microsoft.com> Subject: [issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required Zachary Ware added the comment: So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close. ---------- stage: -> commit review status: open -> pending type: -> security _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue21671> _______________________________________ |
|||
| msg220046 - (view) | Author: Zachary Ware (zach.ware) * |
Date: 2014-06-08 19:04 | |
Good enough for me. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:04 | admin | set | github: 65870 |
| 2014-06-08 19:04:58 | zach.ware | set | status: open -> closed resolution: fixed messages: + msg220046 stage: commit review -> resolved |
| 2014-06-08 19:02:57 | steve.dower | set | status: pending -> open messages: + msg220045 |
| 2014-06-08 18:57:54 | zach.ware | set | status: open -> pending type: security messages: + msg220043 stage: commit review |
| 2014-06-07 18:55:00 | georg.brandl | set | messages: + msg219960 |
| 2014-06-06 11:22:51 | loewis | set | messages: + msg219871 |
| 2014-06-06 06:55:10 | georg.brandl | set | messages: + msg219865 |
| 2014-06-06 06:28:02 | python-dev | set | nosy:
+ python-dev messages: + msg219862 |
| 2014-06-05 23:12:46 | alex | set | nosy:
+ alex |
| 2014-06-05 21:15:16 | ned.deily | set | nosy:
+ georg.brandl messages: + msg219849 |
| 2014-06-05 21:11:29 | dstufft | set | nosy:
+ dstufft messages: + msg219848 |
| 2014-06-05 21:07:47 | ned.deily | set | priority: normal -> release blocker versions: - Python 3.1, Python 3.2, Python 3.3 nosy: + ned.deily, larry, benjamin.peterson messages: + msg219847 keywords: + security_issue |
| 2014-06-05 18:33:04 | zach.ware | set | nosy:
+ loewis, zach.ware, steve.dower messages: + msg219829 |
| 2014-06-05 17:29:21 | lambacck | create | |