diff options
| author | Steve Dower <steve.dower@python.org> | 2023-02-09 19:57:59 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-09 14:57:59 -0500 |
| commit | cbd192b6ff137aec25913cc80b2bf7bf1ef3755b (patch) | |
| tree | 73487e88fc381e3f949fce857f26331b106b4732 | |
| parent | c7fdc9c743d23b3c77ab4b1261748b8e395c298a (diff) | |
| download | cpython-git-cbd192b6ff137aec25913cc80b2bf7bf1ef3755b.tar.gz | |
[3.7] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101753)
Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>
| -rw-r--r-- | .azure-pipelines/ci.yml | 4 | ||||
| -rw-r--r-- | .azure-pipelines/pr.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/build.yml | 2 | ||||
| -rwxr-xr-x | Mac/BuildScript/build-installer.py | 6 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst | 4 | ||||
| -rw-r--r-- | PCbuild/get_externals.bat | 4 | ||||
| -rw-r--r-- | PCbuild/python.props | 25 | ||||
| -rw-r--r-- | PCbuild/readme.txt | 2 | ||||
| -rwxr-xr-x | Tools/ssl/multissltests.py | 4 |
9 files changed, 33 insertions, 22 deletions
diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml index 3a12fe4bfa..c68d571f70 100644 --- a/.azure-pipelines/ci.yml +++ b/.azure-pipelines/ci.yml @@ -61,7 +61,7 @@ jobs: variables: testRunTitle: '$(build.sourceBranchName)-linux' testRunPlatform: linux - openssl_version: 1.1.1n + openssl_version: 1.1.1t steps: - template: ./posix-steps.yml @@ -118,7 +118,7 @@ jobs: variables: testRunTitle: '$(Build.SourceBranchName)-linux-coverage' testRunPlatform: linux-coverage - openssl_version: 1.1.1n + openssl_version: 1.1.1t steps: - template: ./posix-steps.yml diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml index 91607b931a..ba61efe62d 100644 --- a/.azure-pipelines/pr.yml +++ b/.azure-pipelines/pr.yml @@ -61,7 +61,7 @@ jobs: variables: testRunTitle: '$(system.pullRequest.TargetBranch)-linux' testRunPlatform: linux - openssl_version: 1.1.1n + openssl_version: 1.1.1t steps: - template: ./posix-steps.yml @@ -118,7 +118,7 @@ jobs: variables: testRunTitle: '$(Build.SourceBranchName)-linux-coverage' testRunPlatform: linux-coverage - openssl_version: 1.1.1n + openssl_version: 1.1.1t steps: - template: ./posix-steps.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1b1951ddb1..a1f63747aa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -142,7 +142,7 @@ jobs: needs: check_source if: needs.check_source.outputs.run_tests == 'true' env: - OPENSSL_VER: 1.1.1n + OPENSSL_VER: 1.1.1t steps: - uses: actions/checkout@v2 - name: Install Dependencies diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py index 76078dcd22..7ba26a738a 100755 --- a/Mac/BuildScript/build-installer.py +++ b/Mac/BuildScript/build-installer.py @@ -209,9 +209,9 @@ def library_recipes(): result.extend([ dict( - name="OpenSSL 1.1.1n", - url="https://www.openssl.org/source/openssl-1.1.1n.tar.gz", - checksum='2aad5635f9bb338bc2c6b7d19cbc9676', + name="OpenSSL 1.1.1t", + url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz", + checksum='1cfee919e0eac6be62c88c5ae8bcd91e', buildrecipe=build_universal_openssl, configure=None, install=None, diff --git a/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst b/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst new file mode 100644 index 0000000000..43acc82063 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst @@ -0,0 +1,4 @@ +Updated the OpenSSL version used in Windows and macOS binary release builds +to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per +`the OpenSSL 2023-02-07 security advisory +<https://www.openssl.org/news/secadv/20230207.txt>`_. diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index 8f7a6aae78..4f23edd45a 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -49,7 +49,7 @@ echo.Fetching external libraries... set libraries= set libraries=%libraries% bzip2-1.0.8 -if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1s +if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1t set libraries=%libraries% sqlite-3.31.1.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0 @@ -72,7 +72,7 @@ for %%e in (%libraries%) do ( echo.Fetching external binaries... set binaries= -if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1s +if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1t if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06 diff --git a/PCbuild/python.props b/PCbuild/python.props index 53d106935b..4f198aa44e 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -46,15 +46,22 @@ <ExternalsDir>$(EXTERNALS_DIR)</ExternalsDir> <ExternalsDir Condition="$(ExternalsDir) == ''">$([System.IO.Path]::GetFullPath(`$(PySourcePath)externals`))</ExternalsDir> <ExternalsDir Condition="!HasTrailingSlash($(ExternalsDir))">$(ExternalsDir)\</ExternalsDir> - <sqlite3Dir>$(ExternalsDir)sqlite-3.31.1.0\</sqlite3Dir> - <bz2Dir>$(ExternalsDir)bzip2-1.0.8\</bz2Dir> - <lzmaDir>$(ExternalsDir)xz-5.2.2\</lzmaDir> - <opensslDir>$(ExternalsDir)openssl-1.1.1s\</opensslDir> - <opensslOutDir>$(ExternalsDir)openssl-bin-1.1.1s\$(ArchName)\</opensslOutDir> - <opensslIncludeDir>$(opensslOutDir)include</opensslIncludeDir> - <nasmDir>$(ExternalsDir)\nasm-2.11.06\</nasmDir> - <zlibDir>$(ExternalsDir)\zlib-1.2.12\</zlibDir> - + </PropertyGroup> + + <Import Project="$(ExternalProps)" Condition="$(ExternalProps) != '' and Exists('$(ExternalProps)')" /> + + <PropertyGroup> + <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.31.1.0\</sqlite3Dir> + <bz2Dir Condition="$(bz2Dir) == ''">$(ExternalsDir)bzip2-1.0.8\</bz2Dir> + <lzmaDir Condition="$(lzmaDir) == ''">$(ExternalsDir)xz-5.2.2\</lzmaDir> + <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1t\</opensslDir> + <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\</opensslOutDir> + <opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir> + <nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir> + <zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.2.12\</zlibDir> + </PropertyGroup> + + <PropertyGroup> <!-- Suffix for all binaries when building for debug --> <PyDebugExt Condition="'$(PyDebugExt)' == '' and $(Configuration) == 'Debug'">_d</PyDebugExt> diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index 5e57a9590c..7c87b7a579 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -165,7 +165,7 @@ _lzma Homepage: http://tukaani.org/xz/ _ssl - Python wrapper for version 1.1.1c of the OpenSSL secure sockets + Python wrapper for version 1.1.1t of the OpenSSL secure sockets library, which is downloaded from our binaries repository at https://github.com/python/cpython-bin-deps. diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index dc74f8d401..2a4bbf4552 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -48,8 +48,8 @@ OPENSSL_OLD_VERSIONS = [ ] OPENSSL_RECENT_VERSIONS = [ - "1.1.1n", - # "3.0.0-alpha2" + "1.1.1t", + "3.0.8" ] LIBRESSL_OLD_VERSIONS = [ |