Update OpenSSL used in binary releases per CVE-2023-0464 #103142
Assignees
Labels
3.7
only security fixes
3.8
only security fixes
3.9
only security fixes
3.10
only security fixes
3.11
bug and security fixes
3.12
bugs and security fixes
3.13
new features, bugs and security fixes
release-blocker
topic-SSL
type-security
A security issue
Comments
gpshead
added
type-security
|
We are still waiting on the upstream OpenSSL release as of today. |
|
https://www.openssl.org/ considers these low severity, so deferring this to not block releases could make sense. Otherwise we'd need to cherry pick a few patches and apply them as part of our build or pull a pre-release tarball from their source control, both of which sound annoying. |
|
From https://www.openssl.org/source/ it appears there's no 1.1.1u release yet. Is this still a blocker? |
|
wait until the day our releases are being built and bump it back to deferred if upstream openssl hasn't done releases. |
|
FYI: Their next release is planned to be in May. |
|
I hope they do that, we're currently planning to cut 3.11.4 in the first week of June per https://peps.python.org/pep-0664/. |
arhadthedev
added
3.12
These were all released a few hours ago. |
This was referenced May 31, 2023
ned-deily
added a commit
that referenced
this issue
May 31, 2023
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
May 31, 2023
…nGH-105130) (cherry picked from commit f90d3f6) Co-authored-by: Ned Deily <nad@python.org>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
May 31, 2023
…nGH-105130) (cherry picked from commit f90d3f6) Co-authored-by: Ned Deily <nad@python.org>
ned-deily
added a commit
that referenced
this issue
May 31, 2023
ned-deily
added a commit
that referenced
this issue
May 31, 2023
gpshead
added a commit
that referenced
this issue
Jun 1, 2023
Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). backports of this prior to 3.12 will not include the openssl 3.1 header.
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
Jun 1, 2023
…onGH-105174) Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). backports of this prior to 3.12 will not include the openssl 3.1 header. (cherry picked from commit ede89af) Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead
added a commit
that referenced
this issue
Jun 1, 2023
…105174) (#105199) gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). backports of this prior to 3.12 will not include the openssl 3.1 header. (cherry picked from commit ede89af) Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
gpshead
added a commit
to gpshead/cpython
that referenced
this issue
Jun 1, 2023
pythonGH-105174) Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). backports of this prior to 3.12 will not include the openssl 3.1 header.. (cherry picked from commit ede89af) Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead
added a commit
that referenced
this issue
Jun 1, 2023
…105174) (#105200) Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af)
gpshead
added a commit
to gpshead/cpython
that referenced
this issue
Jun 1, 2023
…L 1.1.1u (pythonGH-105174) (pythonGH-105200) Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af). (cherry picked from commit a5d2b54) Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead
added a commit
to gpshead/cpython
that referenced
this issue
Jun 1, 2023
…pythonGH-105174) (python#105200) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af)
gpshead
pushed a commit
to gpshead/cpython
that referenced
this issue
Jun 1, 2023
|
Everything back through 3.11 has been updated to build binary releases using OpenSSL 1.1.1u. Backports for 3.10 and 3.9 exist as PRs for their respective @pablogsal and @ambv release managers to merge. For 3.8 and 3.7 branches, I recommend doing a backport from the 3.9 commit once that PR is merged (if the RMs choose to merge it; we don't build binary releases for versions that old so that's up to them - it's at least useful for other vendors who potentially do?) |
ned-deily
added a commit
to ned-deily/cpython
that referenced
this issue
Jun 5, 2023
ned-deily
added a commit
that referenced
this issue
Jun 5, 2023
ambv
pushed a commit
that referenced
this issue
Jun 5, 2023
…05174) (GH-105200) (#105205) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) Co-authored-by: Ned Deily <nad@python.org>
ambv
pushed a commit
that referenced
this issue
Jun 5, 2023
…105174) (GH-105200) (#105204) Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af). (cherry picked from commit a5d2b54) (cherry picked from commit f90d3f6) Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv
pushed a commit
to ambv/cpython
that referenced
this issue
Jun 6, 2023
…1.1.1u (pythonGH-105174) (pythonGH-105200) (pythonGH-105205) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) (cherry picked from commit e15de14) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org>
ambv
added a commit
that referenced
this issue
Jun 6, 2023
…05174) (GH-105200) (GH-105205) (#105370) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) (cherry picked from commit e15de14) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org>
|
This has now been backported to 3.8 and 3.7 as well. For 3.7, there is only a partial backport because some of the changes in earlier releases to fully support OpenSSL 3.x were not backported to 3.7. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://nvd.nist.gov/vuln/detail/CVE-2023-0464
We need OpenSSL >= 1.1.1u | 3.0.9 | 3.1.1.
We've got patch releases coming up soon, we should be able to just bump the versions before then.
(note: at the time of this writing OpenSSL hasn't even released those updated versions)
Linked PRs
The text was updated successfully, but these errors were encountered: