[Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
Steve Dower
Steve.Dower at microsoft.com
Tue Jun 17 20:27:30 CEST 2014
Yates, Andy (CS Houston, TX) wrote:
> Python Dev,
> Andy here. I have a Windows product based on Python and I'm getting hammered to
> release a version that includes the fix in OpenSSL 1.0.1h. My product is built
> on a Windows system using Python installed from the standard Python installer at
> Python.org. I would be grateful if I could get some advice on my options. Will
> Python.org be releasing a Windows installer with the fix any time soon or will
> it be at the next scheduled release in November? If it is November, there's no
> way I can wait that long. Now what? Would it be best to build my own Python? Is
> it possible to drop in new OpenSSL versions on Windows without rebuilding
> Python? Looking for some guidance on how to handle these OpenSSL issues on
> Windows.
You'll only need to rebuild the _ssl and _hashlib extension modules with the new OpenSSL version. The easiest way to do this is to build from source (which has already been updated for 1.0.1h if you use the externals scripts in Tools\buildbot), and you should just be able to drop _ssl.pyd and _hashlib.pyd on top of a normal install.
Aside: I wonder if it's worth changing to dynamically linking to OpenSSL? It would make this kind of in-place upgrade easier when people need to do it. Any thoughts? (Does OpenSSL even support it?)
Cheers,
Steve
> Thanks!
> Andy Yates
More information about the Python-Dev
mailing list