classification
Title: Upgrade installers to OpenSSL 1.0.2j
Type: security Stage: resolved
Components: Library (Lib), macOS, SSL, Windows Versions: Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: ned.deily Nosy List: Mariatta, Safihre, alex, benjamin.peterson, christian.heimes, dstufft, janssen, larry, matrixise, ned.deily, paul.moore, python-dev, ronaldoussoren, scw, steve.dower, tim.golden, zach.ware
Priority: Keywords: patch, security_issue

Created on 2016-09-22 13:56 by alex, last changed 2017-09-08 02:35 by vstinner. This issue is now closed.

Files
File name Uploaded Description Edit
issue28248.patch Mariatta, 2016-10-11 03:15 review
Pull Requests
URL Status Linked Edit
PR 552 closed dstufft, 2017-03-31 16:36
PR 3447 closed vstinner, 2017-09-08 02:35
Messages (13)
msg277226 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2016-09-22 13:56
https://www.openssl.org/news/secadv/20160922.txt
msg277234 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-22 18:25
1.0.2i passes all tests of 2.7, 3.5-7 on Linux
msg277410 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-26 10:39
Make that OpenSSL 1.0.2j with fix for CVE-2016-7052

https://www.openssl.org/news/openssl-1.0.2-notes.html
msg278448 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2016-10-11 01:51
We didn't get this into 3.6.0b2; needs to be in 3.6.0b3.
msg278453 - (view) Author: Mariatta (Mariatta) * (Python committer) Date: 2016-10-11 03:15
Hi, I updated the openssl version from 1.0.2h to 1.0.2j in build-installer.py

Please let me know if this works.

Thanks :)
msg278454 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-10-11 03:30
New changeset c29045efd25e by Zachary Ware in branch '2.7':
Issue #28248: Update Windows build to use OpenSSL 1.0.2j
https://hg.python.org/cpython/rev/c29045efd25e

New changeset d7b9ce8ae79b by Zachary Ware in branch '3.4':
Issue #28248: Update Windows build to use OpenSSL 1.0.2j
https://hg.python.org/cpython/rev/d7b9ce8ae79b

New changeset 5fa74d8c987b by Zachary Ware in branch '3.5':
Issue #28248: Merge with 3.4
https://hg.python.org/cpython/rev/5fa74d8c987b

New changeset cc5006dab787 by Zachary Ware in branch '3.6':
Issue #28248: Merge with 3.5
https://hg.python.org/cpython/rev/cc5006dab787

New changeset fea9ff9e745d by Zachary Ware in branch 'default':
Issue #28248: Merge with 3.6
https://hg.python.org/cpython/rev/fea9ff9e745d
msg278859 - (view) Author: Stéphane Wirtel (matrixise) * (Python committer) Date: 2016-10-18 12:32
@zach maybe we can close this issue if you have updated openssl ?
msg278866 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2016-10-18 12:54
The Mac installer still needs to be updated, which is Ned's department.
msg278867 - (view) Author: Stéphane Wirtel (matrixise) * (Python committer) Date: 2016-10-18 12:55
ok, thank you Zach for this comment.
msg279842 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-10-31 23:59
New changeset 33ad26897e30 by Ned Deily in branch '2.7':
Issue #28248: Update macOS installer build to use OpenSSL 1.0.2j.
https://hg.python.org/cpython/rev/33ad26897e30

New changeset a8799a63feb7 by Ned Deily in branch '3.5':
Issue #28248: Update macOS installer build to use OpenSSL 1.0.2j.
https://hg.python.org/cpython/rev/a8799a63feb7

New changeset c7e551f8c5d8 by Ned Deily in branch '3.6':
Issue #28248: merge from 3.5
https://hg.python.org/cpython/rev/c7e551f8c5d8

New changeset 9e66ffa7a791 by Ned Deily in branch 'default':
Issue #28248: merge from 3.6
https://hg.python.org/cpython/rev/9e66ffa7a791
msg279843 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2016-11-01 00:02
Thanks for the patch, Mariatta.  Pushed for released in 2.7.13, 3.5.3, and 3.6.0b3.
msg283004 - (view) Author: Safihre (Safihre) Date: 2016-12-12 14:22
From the changelog I interpreted this to mean that Python would now use OpenSSL 1.0.2j on macOS for it's ssl module.
But this is not the case?
On a fresh macOS Sierra VM I get:

Python 2.7.13rc1 (v2.7.13rc1:4d6fd49eeb14, Dec  3 2016, 13:01:23) 
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8zh 14 Jan 2016'
msg283028 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2016-12-12 17:11
@S Safihre. See the ReadMe included with the python.org 2.7.x installers.  (It is displayed at installation and a copy is installed to /Applications/Python 2.7/ReadMe.rtf)  As explained there, for 2.7.13rc1 as in recent previous 2.7.x releases, only the 10.5+ installer variant is linked with the private copy of OpenSSL; the 10.6+ installer uses the Apple-supplied system version.
History
Date User Action Args
2017-09-08 02:35:37vstinnersetpull_requests: + pull_request3447
2017-03-31 16:36:29dstufftsetpull_requests: + pull_request1026
2016-12-12 17:11:27ned.deilysetmessages: + msg283028
2016-12-12 14:22:12Safihresetnosy: + Safihre
messages: + msg283004
2016-11-01 00:02:53ned.deilysetstatus: open -> closed
priority: release blocker ->
messages: + msg279843

resolution: fixed
stage: patch review -> resolved
2016-10-31 23:59:11python-devsetmessages: + msg279842
2016-10-18 12:55:07matrixisesetmessages: + msg278867
2016-10-18 12:54:29zach.waresetassignee: ned.deily
messages: + msg278866
stage: needs patch -> patch review
2016-10-18 12:32:07matrixisesetnosy: + matrixise
messages: + msg278859
2016-10-11 03:30:36python-devsetnosy: + python-dev
messages: + msg278454
2016-10-11 03:15:53Mariattasetfiles: + issue28248.patch

nosy: + Mariatta
messages: + msg278453

keywords: + patch
2016-10-11 01:51:31ned.deilysetmessages: + msg278448
2016-09-28 23:34:41scwsetnosy: + scw
2016-09-26 10:39:24christian.heimessetmessages: + msg277410
title: Upgrade installers to OpenSSL 1.0.2i -> Upgrade installers to OpenSSL 1.0.2j
2016-09-25 10:31:36christian.heimessetsuperseder: Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows ->
2016-09-25 10:30:52christian.heimessetsuperseder: Upgrade Python 3.4 to OpenSSL 1.0.2h on Windows
versions: + Python 3.4
2016-09-22 18:26:07christian.heimessetpriority: normal -> release blocker
nosy: + larry, benjamin.peterson

type: security
stage: needs patch
2016-09-22 18:25:35christian.heimessetassignee: christian.heimes -> (no value)
messages: + msg277234
components: + macOS, Windows
2016-09-22 13:56:24alexcreate