Thanks for all the good information. We ended up building _ssl and _hashlib and dropping those into the existing Python on our build server. That seems to be working fine.
>From my perspective ssl libraries are a special case. I think I could handle >any other included library having a flaw for weeks or months, but my >management and customers are sensitive to releasing software with known ssl >vulnerabilities. For Windows Python it looks like the only option for >updating OpenSSL is to build from source. For us that turned out to be no big >deal. However, it may be beyond the reach of some, either technically or due >to the lack of access to Dev Studio. There's also some concern that a custom >build of Python may not have some secret sauce or complier switch that could >cause unexpected behavior. That said, I'd like to see Python spin within a short period of time after a recognized OpenSSL vulnerability is fixed if is statically linked. This would limit exposure to the unsuspecting user who downloads Windows Python from Python.org. The next best thing would be to dynamically link to Windows OpenSSL DLLs allowing users to drop in which ever version they like. Thanks again!! Andy -----Original Message----- From: Python-Dev [mailto:python-dev-bounces+ayates=hp....@python.org] On Behalf Of Benjamin Peterson Sent: Tuesday, June 17, 2014 2:07 PM To: Ned Deily; python-dev@python.org Subject: Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required On Tue, Jun 17, 2014, at 12:03, Ned Deily wrote: > In article > <81f84430ce0242e5bfa5b2264777d...@blupr03mb389.namprd03.prod.outlook.c > om > >, > Steve Dower <steve.do...@microsoft.com> wrote: > > You'll only need to rebuild the _ssl and _hashlib extension modules > > with the new OpenSSL version. The easiest way to do this is to build > > from source (which has already been updated for 1.0.1h if you use > > the externals scripts in Tools\buildbot), and you should just be > > able to drop _ssl.pyd and _hashlib.pyd on top of a normal install. > > Should we consider doing a re-spin of the Windows installers for 2.7.7 > with 1.0.1h? Or consider doing a 2.7.8 in the near future to address > this and various 2.7.7 regressions that have been identified so far > (Issues 21652 and 21672)? I think we should do a 2.7.8 soon to pick up the openssl upgrade and recent CGI security fix. I would like to see those two regressions fixed first, though. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ayates%40hp.com _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
