2012/4/23 Gregory P. Smith <greg@krypto.org>
FYI - there is a network exploitable vulnerability in OpenSSL - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110
Our windows builds likely need updating. At the very least make sure openssl is updated before the next time we produce binaries. Its up to the release managers if they want to make a new windows only sub-release to include the updated version of openssl.
The OpenSSL Security Advisory says: http://www.openssl.org/news/secadv_20120419.txt """ Affected functions are of the form d2i_*_bio or d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp. """
I don't see any occurrence of these functions in the various versions of the _ssl module. Is Python really affected by this vulnerability?
-- Amaury Forgeot d'Arc