classification
Title: Upgrade OpenSSL in Windows builds
Type: behavior Stage: resolved
Components: Build, Windows Versions: Python 3.2
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: brian.curtin, christian.heimes, exarkun, giampaolo.rodola, loewis, pitrou, tim.golden
Priority: normal Keywords:

Created on 2010-04-29 12:48 by pitrou, last changed 2010-11-20 18:27 by brian.curtin. This issue is now closed.

Messages (5)
msg104496 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-04-29 12:48
I don't know how official installers are built, but the standard build procedure with the Visual Studio files uses a custom checkout of OpenSSL 0.9.8l. OpenSSL is now at version 1.0.x, which adds security fixes and improvements.

I'd suggest upgrade the "custom checkout" to use the latest OpenSSL version, at least for dev branches (it may be too disruptive for the bugfix branches, since OpenSSL seems to have a history of changing behaviour a bit even between what look like minor versions). I don't have an idea how to do this myself, Linux being my development platform.
msg104497 - (view) Author: Jean-Paul Calderone (exarkun) * (Python committer) Date: 2010-04-29 12:55
http://www.openssl.org/news/secadv_20100324.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

New Windows builds of any versions of CPython which are still receiving security updates should be released.
msg104515 - (view) Author: Brian Curtin (brian.curtin) * (Python committer) Date: 2010-04-29 14:24
Tools/buildbot/external-common.bat does the checkout of OpenSSL 0.9.8l from svn.python.org/projects/external. What does it take to put a new 1.x version out there?
msg104584 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-04-29 20:32
IIUC, Python is not affected by this security issue. 'short' is a 16-bit integer, so it only affects 0.9.8m, which isn't being used by Python. Therefore, from a security point of view, no action needs to be taken.

I don't think upgrading OpenSSL is appropriate for 2.7 at this point, so removing it from the version list.

For updating OpenSSL for 3.2, multiple occurrences must be changed; external-common is not the only place. At a minimum, PCbuild/pyproject.vsprops and PCbuild/readme.txt need to change as well. The OpenSSL tree needs to be imported into the externals repository, and our custom changes need to be reapplied. Whether further changes need to be applied to the source, can only be determined in testing. As all of this is a rather tedious procedure, we should be certain to only perform it once before the release of 3.2 (i.e. if we upgrade now, we shouldn't upgrade again three months from now).
msg121707 - (view) Author: Brian Curtin (brian.curtin) * (Python committer) Date: 2010-11-20 18:26
Closing - OpenSSL was upgraded to version 1.0.0a a few months ago.
History
Date User Action Args
2010-11-20 18:27:01brian.curtinsetstage: resolved
2010-11-20 18:26:50brian.curtinsetstatus: open -> closed
resolution: out of date
messages: + msg121707
2010-04-29 20:33:17loewissetpriority: critical -> normal
2010-04-29 20:32:31loewissetmessages: + msg104584
versions: - Python 2.7
2010-04-29 18:02:30giampaolo.rodolasetnosy: + giampaolo.rodola
2010-04-29 14:25:00brian.curtinsetmessages: + msg104515
2010-04-29 12:55:48exarkunsetpriority: normal -> critical
nosy: + exarkun
messages: + msg104497

2010-04-29 12:48:33pitroucreate