I don't know how official installers are built, but the standard build procedure with the Visual Studio files uses a custom checkout of OpenSSL 0.9.8l. OpenSSL is now at version 1.0.x, which adds security fixes and improvements.

I'd suggest upgrade the "custom checkout" to use the latest OpenSSL version, at least for dev branches (it may be too disruptive for the bugfix branches, since OpenSSL seems to have a history of changing behaviour a bit even between what look like minor versions). I don't have an idea how to do this myself, Linux being my development platform.

http://www.openssl.org/news/secadv_20100324.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

New Windows builds of any versions of CPython which are still receiving security updates should be released.

Tools/buildbot/external-common.bat does the checkout of OpenSSL 0.9.8l from svn.python.org/projects/external. What does it take to put a new 1.x version out there?

IIUC, Python is not affected by this security issue. 'short' is a 16-bit integer, so it only affects 0.9.8m, which isn't being used by Python. Therefore, from a security point of view, no action needs to be taken.

I don't think upgrading OpenSSL is appropriate for 2.7 at this point, so removing it from the version list.

For updating OpenSSL for 3.2, multiple occurrences must be changed; external-common is not the only place. At a minimum, PCbuild/pyproject.vsprops and PCbuild/readme.txt need to change as well. The OpenSSL tree needs to be imported into the externals repository, and our custom changes need to be reapplied. Whether further changes need to be applied to the source, can only be determined in testing. As all of this is a rather tedious procedure, we should be certain to only perform it once before the release of 3.2 (i.e. if we upgrade now, we shouldn't upgrade again three months from now).

Closing - OpenSSL was upgraded to version 1.0.0a a few months ago.