classification
Title: Update to OpenSSL 1.1.1k
Type: security Stage: resolved
Components: macOS, SSL, Windows Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: bmw, christian.heimes, miss-islington, ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2021-03-26 08:15 by christian.heimes, last changed 2021-03-31 20:01 by christian.heimes. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 25024 merged christian.heimes, 2021-03-26 08:20
PR 25088 merged christian.heimes, 2021-03-30 00:03
PR 25089 merged christian.heimes, 2021-03-30 00:06
Messages (11)
msg389541 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-03-26 08:15
OpenSSL 1.1.1k contains fixes for two high severity CVEs

https://www.openssl.org/news/vulnerabilities.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449
msg389748 - (view) Author: Brad Warren (bmw) Date: 2021-03-29 20:48
When do you expect there will be new macOS and Windows downloads available at https://www.python.org/downloads/ that use OpenSSL 1.1.1k?

One of my projects is relying on these files and I wasn't sure the ETA here.
msg389749 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-03-29 20:52
Assume it'll be the next scheduled release (though I haven't looked at the details of the vulnerabilities yet, so we may decide that they're more urgent for CPython users).

I'm starting the Windows build process now, but that only gets us far enough to do the integration, it's not a release.
msg389750 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-03-29 20:55
Thanks!

My mail https://mail.python.org/archives/list/python-dev@python.org/thread/2GULUR43MNEW3IJM44LS5ZY2TOUANPNT/ contains a first analysis of the CVEs. I'm pretty sure any server application with server-side TLS socket is vulnerable to CVE-2021-3449.
msg389767 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2021-03-29 22:45
I published the Windows OpenSSL builds and retriggered your PR builds, Christian.

It looks like we should probably bring up the next release for this, if only because that will cause server users to do rebuilds/updates that they may otherwise not. I doubt there are many public-facing servers running on Windows or macOS (most Windows ones let IIS handle TLS anyway, rather than doing it in Python), though Brad may be an exception here ;)
msg389773 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-03-29 23:32
Thanks!

All tests are passing, but macOS is still using OpenSSL 1.1.1j.
msg389775 - (view) Author: miss-islington (miss-islington) Date: 2021-03-30 00:00
New changeset a54fc683f237d8f0b6e999a63aa9b8c0a45b7fef by Christian Heimes in branch 'master':
bpo-43631: Update to OpenSSL 1.1.1k (GH-25024)
https://github.com/python/cpython/commit/a54fc683f237d8f0b6e999a63aa9b8c0a45b7fef
msg389809 - (view) Author: miss-islington (miss-islington) Date: 2021-03-30 08:58
New changeset 9ac263091db4a8c7dedb577d01f544622a448744 by Christian Heimes in branch '3.8':
[3.8] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) (GH-25089)
https://github.com/python/cpython/commit/9ac263091db4a8c7dedb577d01f544622a448744
msg389810 - (view) Author: miss-islington (miss-islington) Date: 2021-03-30 08:58
New changeset cd82d592063aa03dcc238dcc5222bd47ee0eb438 by Christian Heimes in branch '3.9':
[3.9] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) (GH-25088)
https://github.com/python/cpython/commit/cd82d592063aa03dcc238dcc5222bd47ee0eb438
msg389864 - (view) Author: Brad Warren (bmw) Date: 2021-03-30 23:06
To be fair, I doubt my project is affected by the CVEs. I was just looking to upgrade instead of trying to verify that.
msg389931 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-03-31 20:01
CI, macOS and Windows infrastructure have been updated.
History
Date User Action Args
2021-04-05 19:37:40ned.deilylinkissue41837 superseder
2021-03-31 20:01:45christian.heimessetstatus: open -> closed
resolution: fixed
messages: + msg389931

stage: patch review -> resolved
2021-03-30 23:06:32bmwsetmessages: + msg389864
2021-03-30 08:58:19miss-islingtonsetmessages: + msg389810
2021-03-30 08:58:19miss-islingtonsetmessages: + msg389809
2021-03-30 00:06:11christian.heimessetpull_requests: + pull_request23835
2021-03-30 00:03:35christian.heimessetpull_requests: + pull_request23834
2021-03-30 00:00:40miss-islingtonsetnosy: + miss-islington
messages: + msg389775
2021-03-29 23:32:53christian.heimessetmessages: + msg389773
2021-03-29 22:45:22steve.dowersetmessages: + msg389767
2021-03-29 20:55:15christian.heimessetmessages: + msg389750
2021-03-29 20:52:05steve.dowersetmessages: + msg389749
2021-03-29 20:48:51bmwsetmessages: + msg389748
2021-03-29 19:04:02bmwsetnosy: + bmw
2021-03-26 08:20:26christian.heimessetkeywords: + patch
pull_requests: + pull_request23774
2021-03-26 08:15:38christian.heimescreate