Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required #65870

Closed
lambacck mannequin opened this issue Jun 5, 2014 · 12 comments
Closed

CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required #65870

lambacck mannequin opened this issue Jun 5, 2014 · 12 comments
Labels
build The build process and cross-build OS-windows release-blocker type-security A security issue

Comments

@lambacck
Copy link
Mannequin

lambacck mannequin commented Jun 5, 2014

BPO 21671
Nosy @loewis, @birkenfeld, @larryhastings, @benjaminp, @ned-deily, @alex, @zware, @zooba, @dstufft

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-06-08.19:04:58.044>
created_at = <Date 2014-06-05.17:29:21.891>
labels = ['type-security', 'build', 'OS-windows', 'release-blocker']
title = 'CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required'
updated_at = <Date 2014-06-08.19:04:58.042>
user = 'https://bugs.python.org/lambacck'

bugs.python.org fields:

activity = <Date 2014-06-08.19:04:58.042>
actor = 'zach.ware'
assignee = 'none'
closed = True
closed_date = <Date 2014-06-08.19:04:58.044>
closer = 'zach.ware'
components = ['Build', 'Windows']
creation = <Date 2014-06-05.17:29:21.891>
creator = 'lambacck'
dependencies = []
files = []
hgrepos = []
issue_num = 21671
keywords = ['security_issue']
message_count = 12.0
messages = ['219828', '219829', '219847', '219848', '219849', '219862', '219865', '219871', '219960', '220043', '220045', '220046']
nosy_count = 11.0
nosy_names = ['loewis', 'georg.brandl', 'larry', 'benjamin.peterson', 'ned.deily', 'lambacck', 'alex', 'python-dev', 'zach.ware', 'steve.dower', 'dstufft']
pr_nums = []
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue21671'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5']
@lambacck
Copy link
Mannequin Author

lambacck mannequin commented Jun 5, 2014

http://www.openssl.org/news/secadv_20140605.txt

All client versions of OpenSSL are vulnerable so all Windows builds of Python are vulnerable to MITM attacks when connecting to vulnerable servers.

@lambacck lambacck mannequin added build The build process and cross-build OS-windows labels Jun 5, 2014
@zware
Copy link
Member

zware commented Jun 5, 2014

2.7, 3.4, and default should be updated; should we do anything for 3.1-3.3 since they will not get any further installers?

@ned-deily
Copy link
Member

This isn't an issue for releases in security-fix mode (3.1, 3.2, 3.3) since there are not changes to Python involved and we do not provide binary installers for releases in that mode.

@dstufft
Copy link
Member

dstufft commented Jun 5, 2014

Might it make sense to special case 3.2 and 3.3 since the last releases of those were not security releases and the security issue is with a bundled library?

@ned-deily
Copy link
Member

We can ask for an opinion from the 3.2 and 3.3 release managers (adding Georg) but I doubt that anyone is going to be interested in producing Windows binary installers for those release plus we haven't done this for 3.2.x for recent previous OpenSSL CVE's, have we?

@python-dev
Copy link
Mannequin

python-dev mannequin commented Jun 6, 2014

New changeset 3dfdcc97250f by Zachary Ware in branch '2.7':
Issue bpo-21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h
http://hg.python.org/cpython/rev/3dfdcc97250f

New changeset 79f3d25caac3 by Zachary Ware in branch '3.4':
Issue bpo-21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h
http://hg.python.org/cpython/rev/79f3d25caac3

New changeset a32ced15b883 by Zachary Ware in branch 'default':
Issue bpo-21671: Merge with 3.4
http://hg.python.org/cpython/rev/a32ced15b883

@birkenfeld
Copy link
Member

Martin, would you make installers for a new 3.2 and 3.3 release?

@loewis
Copy link
Mannequin

loewis mannequin commented Jun 6, 2014

I'm unsure. I'd rather stick to the established policy. If there are reasons to change the policy, I'd like to know what they are and what a new policy should look like, instead of making a singular exception from the policy.

For the record, the reason *for* the policy is that it reduces maintenance burden; I'm unsure whether I still have the environment to build Python 3.2, for example.

@birkenfeld
Copy link
Member

Well, it's entirely logical to follow our own policies :)

@zware
Copy link
Member

zware commented Jun 8, 2014

So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close.

@zware zware added the type-security A security issue label Jun 8, 2014
@zooba
Copy link
Member

zooba commented Jun 8, 2014

The only reason to do it is to help out those who build from source, which I suspect is an incredibly small group on Windows. We'd also be signing up to keep doing it, and implying that it's been tested.

I say don't bother.

From: Zachary Ware<mailto:report@bugs.python.org>
Sent: ‎6/‎8/‎2014 11:57
To: Steve Dower<mailto:Steve.Dower@microsoft.com>
Subject: [bpo-21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Zachary Ware added the comment:

So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close.

----------
stage: -> commit review
status: open -> pending
type: -> security

Python tracker <report@bugs.python.org>
<http://bugs.python.org/issue21671\>

@zware
Copy link
Member

zware commented Jun 8, 2014

Good enough for me.

@zware zware closed this as completed Jun 8, 2014
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build The build process and cross-build OS-windows release-blocker type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@birkenfeld @dstufft @zooba @ned-deily @zware