New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required #65870
Comments
http://www.openssl.org/news/secadv_20140605.txt All client versions of OpenSSL are vulnerable so all Windows builds of Python are vulnerable to MITM attacks when connecting to vulnerable servers. |
2.7, 3.4, and default should be updated; should we do anything for 3.1-3.3 since they will not get any further installers? |
This isn't an issue for releases in security-fix mode (3.1, 3.2, 3.3) since there are not changes to Python involved and we do not provide binary installers for releases in that mode. |
Might it make sense to special case 3.2 and 3.3 since the last releases of those were not security releases and the security issue is with a bundled library? |
We can ask for an opinion from the 3.2 and 3.3 release managers (adding Georg) but I doubt that anyone is going to be interested in producing Windows binary installers for those release plus we haven't done this for 3.2.x for recent previous OpenSSL CVE's, have we? |
New changeset 3dfdcc97250f by Zachary Ware in branch '2.7': New changeset 79f3d25caac3 by Zachary Ware in branch '3.4': New changeset a32ced15b883 by Zachary Ware in branch 'default': |
Martin, would you make installers for a new 3.2 and 3.3 release? |
I'm unsure. I'd rather stick to the established policy. If there are reasons to change the policy, I'd like to know what they are and what a new policy should look like, instead of making a singular exception from the policy. For the record, the reason *for* the policy is that it reduces maintenance burden; I'm unsure whether I still have the environment to build Python 3.2, for example. |
Well, it's entirely logical to follow our own policies :) |
So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close. |
The only reason to do it is to help out those who build from source, which I suspect is an incredibly small group on Windows. We'd also be signing up to keep doing it, and implying that it's been tested. I say don't bother. From: Zachary Ware<mailto:report@bugs.python.org> Zachary Ware added the comment: So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close. ---------- Python tracker <report@bugs.python.org> |
Good enough for me. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: