Update to OpenSSL 1.1.1k

[tiran]

BPO	43631
Nosy	@pfmoore, @ronaldoussoren, @tiran, @tjguk, @ned-deily, @zware, @zooba, @miss-islington, @bmw
PRs	bpo-43631: Update to OpenSSL 1.1.1k #25024 [3.9] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) #25088 [3.8] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) #25089

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2021-03-31.20:01:45.116>
created_at = <Date 2021-03-26.08:15:38.595>
labels = ['type-security', 'OS-mac', '3.8', '3.9', '3.10', 'expert-SSL', 'OS-windows']
title = 'Update to OpenSSL 1.1.1k'
updated_at = <Date 2021-03-31.20:01:45.115>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2021-03-31.20:01:45.115>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-03-31.20:01:45.116>
closer = 'christian.heimes'
components = ['macOS', 'Windows', 'SSL']
creation = <Date 2021-03-26.08:15:38.595>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 43631
keywords = ['patch']
message_count = 11.0
messages = ['389541', '389748', '389749', '389750', '389767', '389773', '389775', '389809', '389810', '389864', '389931']
nosy_count = 9.0
nosy_names = ['paul.moore', 'ronaldoussoren', 'christian.heimes', 'tim.golden', 'ned.deily', 'zach.ware', 'steve.dower', 'miss-islington', 'bmw']
pr_nums = ['25024', '25088', '25089']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue43631'
versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']

[tiran]

OpenSSL 1.1.1k contains fixes for two high severity CVEs

https://www.openssl.org/news/vulnerabilities.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449

[bmw]

When do you expect there will be new macOS and Windows downloads available at https://www.python.org/downloads/ that use OpenSSL 1.1.1k?

One of my projects is relying on these files and I wasn't sure the ETA here.

[zooba]

Assume it'll be the next scheduled release (though I haven't looked at the details of the vulnerabilities yet, so we may decide that they're more urgent for CPython users).

I'm starting the Windows build process now, but that only gets us far enough to do the integration, it's not a release.

[tiran]

Thanks!

My mail https://mail.python.org/archives/list/python-dev@python.org/thread/2GULUR43MNEW3IJM44LS5ZY2TOUANPNT/ contains a first analysis of the CVEs. I'm pretty sure any server application with server-side TLS socket is vulnerable to CVE-2021-3449.

[zooba]

I published the Windows OpenSSL builds and retriggered your PR builds, Christian.

It looks like we should probably bring up the next release for this, if only because that will cause server users to do rebuilds/updates that they may otherwise not. I doubt there are many public-facing servers running on Windows or macOS (most Windows ones let IIS handle TLS anyway, rather than doing it in Python), though Brad may be an exception here ;)

[tiran]

Thanks!

All tests are passing, but macOS is still using OpenSSL 1.1.1j.

[miss-islington]

New changeset a54fc68 by Christian Heimes in branch 'master':
bpo-43631: Update to OpenSSL 1.1.1k (GH-25024)
a54fc68

[miss-islington]

New changeset 9ac2630 by Christian Heimes in branch '3.8':
[3.8] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) (GH-25089)
9ac2630

[miss-islington]

New changeset cd82d59 by Christian Heimes in branch '3.9':
[3.9] bpo-43631: Update to OpenSSL 1.1.1k (GH-25024) (GH-25088)
cd82d59

[bmw]

To be fair, I doubt my project is affected by the CVEs. I was just looking to upgrade instead of trying to verify that.

[tiran]

CI, macOS and Windows infrastructure have been updated.