classification
Title: Update OpenSSL to 1.0.2d in Windows and OS X installer
Type: security Stage: resolved
Components: Build, macOS, Windows Versions: Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Friedrich.Spee.von.Langenfeld, benjamin.peterson, larry, ned.deily, paul.moore, python-dev, ronaldoussoren, steve.dower, tim.golden, vstinner, zach.ware
Priority: release blocker Keywords:

Created on 2015-07-10 09:38 by Friedrich.Spee.von.Langenfeld, last changed 2015-07-24 23:27 by ned.deily. This issue is now closed.

Messages (5)
msg246552 - (view) Author: Friedrich Spee von Langenfeld (Friedrich.Spee.von.Langenfeld) Date: 2015-07-10 09:38
The developers of OpenSSL have published a new update. It fixes a bug marked as severe (https://www.openssl.org/news/secadv_20150709.txt). It seems that we are using a vulnerable version. Could someone who knows the relevant files' locations update our repository? Many thanks in advance.
msg246553 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2015-07-10 09:54
Yes, read the discussion on python-dev:
https://mail.python.org/pipermail/python-dev/2015-July/140706.html

Christian Heimes wrote:

"1.0.2c is only used in 3.5b3. The production builds are either using
1.0.2a or 1.0.1j."

Should I understand that only Windows installers of the beta version of Python 3.5 are vulnerable?
msg246564 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2015-07-10 14:47
The Windows installer and the 32-bit-only OS X installer both have local copies of OpenSSL.  At the moment, only the 3.5.0 betas have been released with 1.0.2.  Setting to release blocker priority for 3.5.0b4.
msg247089 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-07-22 04:29
New changeset 53c0c8914ad0 by Zachary Ware in branch '2.7':
Issue #24603: Update Windows build to use OpenSSL 1.0.2d
https://hg.python.org/cpython/rev/53c0c8914ad0

New changeset f4cd9ac378d7 by Zachary Ware in branch '3.4':
Issue #24603: Update the Windows build to use OpenSSL 1.0.2d
https://hg.python.org/cpython/rev/f4cd9ac378d7

New changeset 2930e23d729f by Zachary Ware in branch '3.5':
Issue #24603: Update the Windows build to use OpenSSL 1.0.2d
https://hg.python.org/cpython/rev/2930e23d729f

New changeset 310613b993d4 by Zachary Ware in branch 'default':
Issue #24603: Merge with 3.5
https://hg.python.org/cpython/rev/310613b993d4
msg247304 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-07-24 23:26
New changeset 7ba239d4efbb by Ned Deily in branch '2.7':
Issue #24603: Update the OS X 32-bit installer build to use OpenSSL 1.0.2d.
https://hg.python.org/cpython/rev/7ba239d4efbb

New changeset 436b8902b305 by Ned Deily in branch '3.4':
Issue #24603: Update the OS X 32-bit installer build to use OpenSSL 1.0.2d.
https://hg.python.org/cpython/rev/436b8902b305

New changeset 78254d483573 by Ned Deily in branch '3.5':
Issue #24603: merge from 3.4
https://hg.python.org/cpython/rev/78254d483573

New changeset d205e7e5f9aa by Ned Deily in branch 'default':
Issue #24603: merge from 3.5
https://hg.python.org/cpython/rev/d205e7e5f9aa
History
Date User Action Args
2015-07-24 23:27:50ned.deilysetstatus: open -> closed
resolution: fixed
stage: resolved
2015-07-24 23:26:26python-devsetmessages: + msg247304
2015-07-22 04:29:04python-devsetnosy: + python-dev
messages: + msg247089
2015-07-10 14:49:04vstinnersetnosy: + ronaldoussoren
components: + macOS
2015-07-10 14:47:23ned.deilysetpriority: normal -> release blocker
title: New update of OpenSSL -> Update OpenSSL to 1.0.2d in Windows and OS X installer
nosy: + ned.deily, benjamin.peterson, larry

messages: + msg246564

versions: + Python 2.7, Python 3.4, Python 3.6
2015-07-10 09:54:43vstinnersetversions: + Python 3.5
nosy: + paul.moore, tim.golden, vstinner, zach.ware, steve.dower

messages: + msg246553

components: + Windows
2015-07-10 09:38:54Friedrich.Spee.von.Langenfeldcreate