classification
Title: CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Type: security Stage: resolved
Components: Build, Windows Versions: Python 3.5, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: alex, benjamin.peterson, dstufft, georg.brandl, lambacck, larry, loewis, ned.deily, python-dev, steve.dower, zach.ware
Priority: release blocker Keywords: security_issue

Created on 2014-06-05 17:29 by lambacck, last changed 2014-06-08 19:04 by zach.ware. This issue is now closed.

Messages (12)
msg219828 - (view) Author: Chris Lambacher (lambacck) * Date: 2014-06-05 17:29
http://www.openssl.org/news/secadv_20140605.txt

All client versions of OpenSSL are vulnerable so all Windows builds of Python are vulnerable to MITM attacks when connecting to vulnerable servers.
msg219829 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2014-06-05 18:33
2.7, 3.4, and default should be updated; should we do anything for 3.1-3.3 since they will not get any further installers?
msg219847 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2014-06-05 21:07
This isn't an issue for releases in security-fix mode (3.1, 3.2, 3.3) since there are not changes to Python involved and we do not provide binary installers for releases in that mode.
msg219848 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2014-06-05 21:11
Might it make sense to special case 3.2 and 3.3 since the last releases of those were not security releases and the security issue is with a bundled library?
msg219849 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2014-06-05 21:15
We can ask for an opinion from the 3.2 and 3.3 release managers (adding Georg) but I doubt that anyone is going to be interested in producing Windows binary installers for those release plus we haven't done this for 3.2.x for recent previous OpenSSL CVE's, have we?
msg219862 - (view) Author: Roundup Robot (python-dev) Date: 2014-06-06 06:28
New changeset 3dfdcc97250f by Zachary Ware in branch '2.7':
Issue #21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h
http://hg.python.org/cpython/rev/3dfdcc97250f

New changeset 79f3d25caac3 by Zachary Ware in branch '3.4':
Issue #21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h
http://hg.python.org/cpython/rev/79f3d25caac3

New changeset a32ced15b883 by Zachary Ware in branch 'default':
Issue #21671: Merge with 3.4
http://hg.python.org/cpython/rev/a32ced15b883
msg219865 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2014-06-06 06:55
Martin, would you make installers for a new 3.2 and 3.3 release?
msg219871 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2014-06-06 11:22
I'm unsure. I'd rather stick to the established policy. If there are reasons to change the policy, I'd like to know what they are and what a new policy should look like, instead of making a singular exception from the policy.

For the record, the reason *for* the policy is that it reduces maintenance burden; I'm unsure whether I still have the environment to build Python 3.2, for example.
msg219960 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2014-06-07 18:55
Well, it's entirely logical to follow our own policies :)
msg220043 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2014-06-08 18:57
So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway?  If not, this issue should be ready to close.
msg220045 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2014-06-08 19:02
The only reason to do it is to help out those who build from source, which I suspect is an incredibly small group on Windows. We'd also be signing up to keep doing it, and implying that it's been tested.

I say don't bother.
________________________________
From: Zachary Ware<mailto:report@bugs.python.org>
Sent: ‎6/‎8/‎2014 11:57
To: Steve Dower<mailto:Steve.Dower@microsoft.com>
Subject: [issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Zachary Ware added the comment:

So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway?  If not, this issue should be ready to close.

----------
stage:  -> commit review
status: open -> pending
type:  -> security

_______________________________________
Python tracker <report@bugs.python.org>
<http://bugs.python.org/issue21671>
_______________________________________
msg220046 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2014-06-08 19:04
Good enough for me.
History
Date User Action Args
2014-06-08 19:04:58zach.waresetstatus: open -> closed
resolution: fixed
messages: + msg220046

stage: commit review -> resolved
2014-06-08 19:02:57steve.dowersetstatus: pending -> open

messages: + msg220045
2014-06-08 18:57:54zach.waresetstatus: open -> pending
type: security
messages: + msg220043

stage: commit review
2014-06-07 18:55:00georg.brandlsetmessages: + msg219960
2014-06-06 11:22:51loewissetmessages: + msg219871
2014-06-06 06:55:10georg.brandlsetmessages: + msg219865
2014-06-06 06:28:02python-devsetnosy: + python-dev
messages: + msg219862
2014-06-05 23:12:46alexsetnosy: + alex
2014-06-05 21:15:16ned.deilysetnosy: + georg.brandl
messages: + msg219849
2014-06-05 21:11:29dstufftsetnosy: + dstufft
messages: + msg219848
2014-06-05 21:07:47ned.deilysetpriority: normal -> release blocker
versions: - Python 3.1, Python 3.2, Python 3.3
nosy: + ned.deily, larry, benjamin.peterson

messages: + msg219847

keywords: + security_issue
2014-06-05 18:33:04zach.waresetnosy: + loewis, zach.ware, steve.dower
messages: + msg219829
2014-06-05 17:29:21lambacckcreate