July 9, 2015
1:39 p.m.
On 2015-07-09 15:29, Christian Heimes wrote:
Hi,
this just came in. According to Zachary all Windows builds use 1.0.2c. The version is vulnerable to a critical bug in the CA validation code of OpenSSL. The bug can be abused to turn any valid server certificate into a CA cert.
We should consider a security release of Python ASAP.
Good news! I was too fast and it looks like we are mostly safe. 1.0.2c is only used in 3.5b3. The production builds are either using 1.0.2a or 1.0.1j. Christian