classification
Title: Upgrade Windows and macOS installer builds to OpenSSL 1.1.1g
Type: Stage: resolved
Components: macOS, Windows Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, lukasz.langa, miss-islington, ned.deily, paul.moore, ronaldoussoren, steve.dower, thatiparthy, tim.golden, zach.ware
Priority: Keywords: patch

Created on 2020-04-03 00:56 by ned.deily, last changed 2020-06-12 22:35 by ned.deily. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 19359 merged steve.dower, 2020-04-04 12:14
PR 19361 merged steve.dower, 2020-04-04 14:22
PR 19362 merged steve.dower, 2020-04-04 14:24
PR 19642 merged ned.deily, 2020-04-22 02:14
PR 19643 merged miss-islington, 2020-04-22 02:41
PR 19644 merged miss-islington, 2020-04-22 02:41
PR 20834 merged thatiparthy, 2020-06-12 18:05
PR 20839 merged miss-islington, 2020-06-12 20:46
PR 20840 merged steve.dower, 2020-06-12 20:57
PR 20841 merged steve.dower, 2020-06-12 20:57
Messages (23)
msg365657 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-04-03 00:56
1.1.1f released 2020-03-31

Reminder to Windows team to update Windows build.

Reminder to macOS team to update macOS installer build.
(note: please don't submit a PR or patch for this!)

https://www.openssl.org/source/
msg365727 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-04-03 21:50
I've pushed new binaries for OpenSSL 1.1.1f on Windows. I'll try and to the rest over the weekend, but if someone else wants to do the PCbuild PR feel free.
msg365764 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-04-04 14:19
New changeset a1d4dbdfc78e3aed4c245e1810ef24eaa4e744c2 by Steve Dower in branch 'master':
bpo-40164: Update Windows to OpenSSL 1.1.1f (GH-19359)
https://github.com/python/cpython/commit/a1d4dbdfc78e3aed4c245e1810ef24eaa4e744c2
msg365766 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-04-04 14:47
New changeset 37126e7bd242bce03f3c4f208d8871edd3febcbe by Steve Dower in branch '3.8':
bpo-40164: Update Windows to OpenSSL 1.1.1f (GH-19359)
https://github.com/python/cpython/commit/37126e7bd242bce03f3c4f208d8871edd3febcbe
msg365767 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-04-04 14:47
New changeset e7a47c23dd25a144ec4afc2db46393818694926f by Steve Dower in branch '3.7':
bpo-40164: Update Windows to OpenSSL 1.1.1f (GH-19359)
https://github.com/python/cpython/commit/e7a47c23dd25a144ec4afc2db46393818694926f
msg366932 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-04-21 17:34
And today (2020-04-21) 1.1.1g is released with a high severity fix.
msg366940 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-04-21 21:02
That'll teach me for being so quick on this...

Are we even impacted by the issue though? I don't see any calls to SSL_check_chain() in our code or the SSL sources.

Advisory: https://www.openssl.org/news/secadv/20200421.txt
Full diff: https://github.com/openssl/openssl/compare/OpenSSL_1_1_1f...OpenSSL_1_1_1g
msg366955 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-04-21 23:43
> Are we even impacted by the issue though?

Certainly we use a check_chain function at least indirectly but, whether that path is vulnerable, dunno.

But, in any case, we will no doubt be pinged about it so best to be ahead of the curve, I think.
msg366970 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-04-22 02:41
New changeset 783a673f23c5e9ffafe12fe172e119dc0fa2abda by Ned Deily in branch 'master':
bpo-40164: Update macOS installer builds to use OpenSSL 1.1.1g. (GH-19642)
https://github.com/python/cpython/commit/783a673f23c5e9ffafe12fe172e119dc0fa2abda
msg366971 - (view) Author: miss-islington (miss-islington) Date: 2020-04-22 03:00
New changeset 9e51aab37e9af6fa0fe406fd56184a0aded28e11 by Miss Islington (bot) in branch '3.8':
bpo-40164: Update macOS installer builds to use OpenSSL 1.1.1g. (GH-19642)
https://github.com/python/cpython/commit/9e51aab37e9af6fa0fe406fd56184a0aded28e11
msg366972 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-04-22 03:04
New changeset 7ad3adda9bff8a9055eaf0b66489e8204f1e7cc6 by Miss Islington (bot) in branch '3.7':
bpo-40164: Update macOS installer builds to use OpenSSL 1.1.1g. (GH-19642) (GH-19644)
https://github.com/python/cpython/commit/7ad3adda9bff8a9055eaf0b66489e8204f1e7cc6
msg369244 - (view) Author: Łukasz Langa (lukasz.langa) * (Python committer) Date: 2020-05-18 15:24
Should this still be open?
msg369245 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-05-18 15:28
I believe the Windows builds are still using 1.1.1f.
msg371343 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-06-12 08:37
Any chance of getting the Windows builds using 1.1.1g for the upcoming 3.7.8?
msg371401 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-06-12 17:43
Yeah, I'll get onto it now.
msg371402 - (view) Author: Srinivas Reddy Thatiparthy(శ్రీనివాస్ రెడ్డి తాటిపర్తి) (thatiparthy) * Date: 2020-06-12 18:12
Steve,
      I have done it. And I  didn't see your reply.
msg371404 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-06-12 18:46
Thanks. Your PR will start to work once I've done the updated build, so don't worry about the failure right now.

OpenSSL updates require build manager involvement, so it's blocked on me :)
msg371414 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-06-12 20:03
Okay, new sources and build are up, so I retriggered the PR. If it's all good, I'll merge and backport.
msg371417 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-06-12 20:46
New changeset 80d827c3cb041ae72b9b0572981c50bdd1fe2cab by Srinivas Reddy Thatiparthy (శ్రీనివాస్  రెడ్డి తాటిపర్తి) in branch 'master':
bpo-40164: Update Windows OpenSSL to 1.1.1g (GH-20834)
https://github.com/python/cpython/commit/80d827c3cb041ae72b9b0572981c50bdd1fe2cab
msg371419 - (view) Author: miss-islington (miss-islington) Date: 2020-06-12 21:06
New changeset 166d7234b5ae07f78feb5ddfb3026fbd2a1a36e2 by Miss Islington (bot) in branch '3.9':
bpo-40164: Update Windows OpenSSL to 1.1.1g (GH-20834)
https://github.com/python/cpython/commit/166d7234b5ae07f78feb5ddfb3026fbd2a1a36e2
msg371421 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-06-12 21:15
New changeset 7e57c367d65f3d0219978b465dc00da15ae3724c by Steve Dower in branch '3.8':
bpo-40164: Update Windows OpenSSL to 1.1.1g (GH-20834)
https://github.com/python/cpython/commit/7e57c367d65f3d0219978b465dc00da15ae3724c
msg371422 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-06-12 21:15
New changeset 617af99312ca36ad5a08db764858caf11c92a2c0 by Steve Dower in branch '3.7':
bpo-40164: Update Windows OpenSSL to 1.1.1g (GH-20834)
https://github.com/python/cpython/commit/617af99312ca36ad5a08db764858caf11c92a2c0
msg371426 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-06-12 22:35
Thanks, Steve and Srinivas!
History
Date User Action Args
2020-06-12 22:35:11ned.deilysetpriority: deferred blocker ->

messages: + msg371426
versions: + Python 3.10
2020-06-12 21:22:14steve.dowersetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2020-06-12 21:15:31steve.dowersetmessages: + msg371422
2020-06-12 21:15:00steve.dowersetmessages: + msg371421
2020-06-12 21:06:56miss-islingtonsetmessages: + msg371419
2020-06-12 20:57:27steve.dowersetpull_requests: + pull_request20034
2020-06-12 20:57:26steve.dowersetpull_requests: + pull_request20033
2020-06-12 20:46:53miss-islingtonsetpull_requests: + pull_request20032
2020-06-12 20:46:45steve.dowersetmessages: + msg371417
2020-06-12 20:03:23steve.dowersetmessages: + msg371414
2020-06-12 18:46:58steve.dowersetmessages: + msg371404
2020-06-12 18:12:22thatiparthysetmessages: + msg371402
2020-06-12 18:05:47thatiparthysetnosy: + thatiparthy
pull_requests: + pull_request20028
2020-06-12 17:43:04steve.dowersetmessages: + msg371401
2020-06-12 08:37:44ned.deilysetmessages: + msg371343
2020-05-18 15:28:33ned.deilysetmessages: + msg369245
2020-05-18 15:24:36lukasz.langasetnosy: + lukasz.langa
messages: + msg369244
2020-04-22 03:04:19ned.deilysetmessages: + msg366972
2020-04-22 03:00:34miss-islingtonsetmessages: + msg366971
2020-04-22 02:41:56miss-islingtonsetpull_requests: + pull_request18968
2020-04-22 02:41:48miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request18967
2020-04-22 02:41:40ned.deilysetmessages: + msg366970
2020-04-22 02:14:17ned.deilysetpull_requests: + pull_request18966
2020-04-21 23:43:26ned.deilysetmessages: + msg366955
2020-04-21 21:02:35steve.dowersetnosy: + christian.heimes
messages: + msg366940
2020-04-21 17:34:05ned.deilysetmessages: + msg366932
title: Upgrade Windows and macOS installer builds to OpenSSL 1.1.1f -> Upgrade Windows and macOS installer builds to OpenSSL 1.1.1g
2020-04-04 14:47:50steve.dowersetmessages: + msg365767
2020-04-04 14:47:46steve.dowersetmessages: + msg365766
2020-04-04 14:24:34steve.dowersetpull_requests: + pull_request18724
2020-04-04 14:22:24steve.dowersetpull_requests: + pull_request18723
2020-04-04 14:19:15steve.dowersetmessages: + msg365764
2020-04-04 12:14:36steve.dowersetkeywords: + patch
stage: needs patch -> patch review
pull_requests: + pull_request18721
2020-04-03 21:50:15steve.dowersetmessages: + msg365727
2020-04-03 00:56:28ned.deilycreate