>>> import sys,ssl
>>> sys.version
'3.9.4 (tags/v3.9.4:1f2e308, Apr  4 2021, 13:27:16) [MSC v.1928 64 bit (AMD64)]'
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.1.1i  8 Dec 2020'

I may well be holding it wrong, but something seems off.

No, I think I was holding git wrong (and built 1.1.1i again instead of 1.1.1k).

Guess we get to do more releases...

Uh :(

No more holiday releases, please. The RMs and release team need their vacation.

No more holiday releases, please. The RMs and release team need their vacation.

I agree, can you ask OpenSSL to stop releasing fixes? (or alternatively, can you convince everyone to let us switch to the native TLS stack on Windows where the upstream fixes are released before they are announced to the world ;) )

Given that the PR is against master is this issue present in Python 3.10 alphas too since last alpha was released today.

It is, but I wouldn't hold up an alpha or beta release because of this.

New changeset 354b015 by Steve Dower in branch 'master':
bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. (GH-25213)
354b015

I elect to replace 3.9.4 Windows installers.

1. It's a Windows installer specific problem, no other users are affected.

2. You can always reinstall. You can tell by the dates reported by the REPL or in fact by checking ssl.OPENSSL_VERSION.

3. There will be 3.9.5 on May 3 anyway soon enough.

Yeeeessss.... we caaaann.... I think we may regret it, but happy to go with it if you'd prefer.

FWIW, the code change isn't necessary if you do a totally clean rebuild. However, most builders do not do totally clean rebuilds, so the code change ensures that they are not caught out.

(Confirmation just came through another channel, so I'm doing a rebuild of the v3.9.4 and v3.8.9 tags now.)

New changeset 611aa39 by Steve Dower in branch '3.9':
bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. (GH-25213)
611aa39

A new 3.9.4 and 3.8.9 release is available for download from python.org. The Nuget and Windows Store packages will have to remain as the original versions, since those do not allow us to overwrite with the same version number.

New changeset 9a988b8 by Miss Islington (bot) in branch '3.8':
bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. (GH-25213)
9a988b8

Thanks for the quick action on this!

I've downloaded the new 3.8.9/3.9.4 installers, but they are unable to run over my existing 3.8.9/3.9.4 installs; "Unable to install python 3.9.4 (64-bit) due to an existing install." This is probably fine as I can just uninstall/reinstall (I hope), so just FYI.

I've upgraded my 32-bit install from 3.9.2 to the new 3.9.4 installer without issue.

Are you able to also update the embeddable packages please?

Are you able to also update the embeddable packages please?

They've been updated, it's just the CDN hasn't purged those files. I
need to add those files to the script.

It should show up within 24 hours, if I don't start doing the script
tonight.

The embeddable dists for 3.9.4 have updated, but the 3.8.9 packages are still showing the builds from April 2nd.

I just purged the CDN again and it seems to be fine now.

Confirmed, thanks!