Update to OpenSSL 1.1.1k #87797

tiran · 2021-03-26T08:15:39Z

BPO	43631
Nosy	@pfmoore, @ronaldoussoren, @tiran, @tjguk, @ned-deily, @zware, @zooba, @miss-islington, @bmw
PRs	bpo-43631: Update to OpenSSL 1.1.1k #25024 [3.9] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) #25088 [3.8] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) #25089

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2021-03-31.20:01:45.116>
created_at = <Date 2021-03-26.08:15:38.595>
labels = ['type-security', 'OS-mac', '3.8', '3.9', '3.10', 'expert-SSL', 'OS-windows']
title = 'Update to OpenSSL 1.1.1k'
updated_at = <Date 2021-03-31.20:01:45.115>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2021-03-31.20:01:45.115>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-03-31.20:01:45.116>
closer = 'christian.heimes'
components = ['macOS', 'Windows', 'SSL']
creation = <Date 2021-03-26.08:15:38.595>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 43631
keywords = ['patch']
message_count = 11.0
messages = ['389541', '389748', '389749', '389750', '389767', '389773', '389775', '389809', '389810', '389864', '389931']
nosy_count = 9.0
nosy_names = ['paul.moore', 'ronaldoussoren', 'christian.heimes', 'tim.golden', 'ned.deily', 'zach.ware', 'steve.dower', 'miss-islington', 'bmw']
pr_nums = ['25024', '25088', '25089']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue43631'
versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']

tiran · 2021-03-26T08:15:38Z

OpenSSL 1.1.1k contains fixes for two high severity CVEs

https://www.openssl.org/news/vulnerabilities.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449

bmw · 2021-03-29T20:48:51Z

When do you expect there will be new macOS and Windows downloads available at https://www.python.org/downloads/ that use OpenSSL 1.1.1k?

One of my projects is relying on these files and I wasn't sure the ETA here.

zooba · 2021-03-29T20:52:06Z

Assume it'll be the next scheduled release (though I haven't looked at the details of the vulnerabilities yet, so we may decide that they're more urgent for CPython users).

I'm starting the Windows build process now, but that only gets us far enough to do the integration, it's not a release.

tiran · 2021-03-29T20:55:16Z

Thanks!

My mail https://mail.python.org/archives/list/python-dev@python.org/thread/2GULUR43MNEW3IJM44LS5ZY2TOUANPNT/ contains a first analysis of the CVEs. I'm pretty sure any server application with server-side TLS socket is vulnerable to CVE-2021-3449.

zooba · 2021-03-29T22:45:22Z

I published the Windows OpenSSL builds and retriggered your PR builds, Christian.

It looks like we should probably bring up the next release for this, if only because that will cause server users to do rebuilds/updates that they may otherwise not. I doubt there are many public-facing servers running on Windows or macOS (most Windows ones let IIS handle TLS anyway, rather than doing it in Python), though Brad may be an exception here ;)

tiran · 2021-03-29T23:32:54Z

Thanks!

All tests are passing, but macOS is still using OpenSSL 1.1.1j.

miss-islington · 2021-03-30T00:00:41Z

New changeset a54fc68 by Christian Heimes in branch 'master':
bpo-43631: Update to OpenSSL 1.1.1k (GH-25024)
a54fc68

miss-islington · 2021-03-30T08:58:19Z

New changeset 9ac2630 by Christian Heimes in branch '3.8':
[3.8] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) (GH-25089)
9ac2630

miss-islington · 2021-03-30T08:58:19Z

New changeset cd82d59 by Christian Heimes in branch '3.9':
[3.9] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) (GH-25088)
cd82d59

bmw · 2021-03-30T23:06:32Z

To be fair, I doubt my project is affected by the CVEs. I was just looking to upgrade instead of trying to verify that.

tiran · 2021-03-31T20:01:45Z

CI, macOS and Windows infrastructure have been updated.

tiran added 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes labels Mar 26, 2021

tiran self-assigned this Mar 26, 2021

tiran added OS-mac OS-windows topic-SSL type-security A security issue 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes labels Mar 26, 2021

tiran self-assigned this Mar 26, 2021

tiran added OS-mac OS-windows topic-SSL type-security A security issue labels Mar 26, 2021

tiran closed this as completed Mar 31, 2021

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update to OpenSSL 1.1.1k #87797

Update to OpenSSL 1.1.1k #87797

tiran commented Mar 26, 2021

tiran commented Mar 26, 2021

bmw mannequin commented Mar 29, 2021

zooba commented Mar 29, 2021

tiran commented Mar 29, 2021

zooba commented Mar 29, 2021

tiran commented Mar 29, 2021

miss-islington commented Mar 30, 2021

miss-islington commented Mar 30, 2021

miss-islington commented Mar 30, 2021

bmw mannequin commented Mar 30, 2021

tiran commented Mar 31, 2021

Update to OpenSSL 1.1.1k #87797

Update to OpenSSL 1.1.1k #87797

Comments

tiran commented Mar 26, 2021

tiran commented Mar 26, 2021

bmw mannequin commented Mar 29, 2021

zooba commented Mar 29, 2021

tiran commented Mar 29, 2021

zooba commented Mar 29, 2021

tiran commented Mar 29, 2021

miss-islington commented Mar 30, 2021

miss-islington commented Mar 30, 2021

miss-islington commented Mar 30, 2021

bmw mannequin commented Mar 30, 2021

tiran commented Mar 31, 2021