[Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
Yates, Andy (CS Houston, TX)
ayates at hp.com
Thu Jun 19 20:06:51 CEST 2014
Thanks for all the good information. We ended up building _ssl and _hashlib and dropping those into the existing Python on our build server. That seems to be working fine.
>From my perspective ssl libraries are a special case. I think I could handle any other included library having a flaw for weeks or months, but my management and customers are sensitive to releasing software with known ssl vulnerabilities. For Windows Python it looks like the only option for updating OpenSSL is to build from source. For us that turned out to be no big deal. However, it may be beyond the reach of some, either technically or due to the lack of access to Dev Studio. There's also some concern that a custom build of Python may not have some secret sauce or complier switch that could cause unexpected behavior.
That said, I'd like to see Python spin within a short period of time after a recognized OpenSSL vulnerability is fixed if is statically linked. This would limit exposure to the unsuspecting user who downloads Windows Python from Python.org. The next best thing would be to dynamically link to Windows OpenSSL DLLs allowing users to drop in which ever version they like.
Thanks again!!
Andy
-----Original Message-----
From: Python-Dev [mailto:python-dev-bounces+ayates=hp.com at python.org] On Behalf Of Benjamin Peterson
Sent: Tuesday, June 17, 2014 2:07 PM
To: Ned Deily; python-dev at python.org
Subject: Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
On Tue, Jun 17, 2014, at 12:03, Ned Deily wrote:
> In article
> <81f84430ce0242e5bfa5b2264777df56 at BLUPR03MB389.namprd03.prod.outlook.c
> om
> >,
> Steve Dower <Steve.Dower at microsoft.com> wrote:
> > You'll only need to rebuild the _ssl and _hashlib extension modules
> > with the new OpenSSL version. The easiest way to do this is to build
> > from source (which has already been updated for 1.0.1h if you use
> > the externals scripts in Tools\buildbot), and you should just be
> > able to drop _ssl.pyd and _hashlib.pyd on top of a normal install.
>
> Should we consider doing a re-spin of the Windows installers for 2.7.7
> with 1.0.1h? Or consider doing a 2.7.8 in the near future to address
> this and various 2.7.7 regressions that have been identified so far
> (Issues 21652 and 21672)?
I think we should do a 2.7.8 soon to pick up the openssl upgrade and recent CGI security fix. I would like to see those two regressions fixed first, though.
_______________________________________________
Python-Dev mailing list
Python-Dev at python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/ayates%40hp.com
More information about the Python-Dev
mailing list