[Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required (original) (raw)

M.-A. Lemburg mal at egenix.com
Tue Jun 17 20:55:54 CEST 2014

On 17.06.2014 20:27, Steve Dower wrote:

Yates, Andy (CS Houston, TX) wrote:

Python Dev, Andy here. I have a Windows product based on Python and I'm getting hammered to release a version that includes the fix in OpenSSL 1.0.1h. My product is built on a Windows system using Python installed from the standard Python installer at Python.org. I would be grateful if I could get some advice on my options. Will Python.org be releasing a Windows installer with the fix any time soon or will it be at the next scheduled release in November? If it is November, there's no way I can wait that long. Now what? Would it be best to build my own Python? Is it possible to drop in new OpenSSL versions on Windows without rebuilding Python? Looking for some guidance on how to handle these OpenSSL issues on Windows. You'll only need to rebuild the ssl and hashlib extension modules with the new OpenSSL version. The easiest way to do this is to build from source (which has already been updated for 1.0.1h if you use the externals scripts in Tools\buildbot), and you should just be able to drop ssl.pyd and hashlib.pyd on top of a normal install. Aside: I wonder if it's worth changing to dynamically linking to OpenSSL? It would make this kind of in-place upgrade easier when people need to do it. Any thoughts? (Does OpenSSL even support it?)

Yes, no problem at all, but you'd still have to either do a new release every time a new OpenSSL problem is found (don't think that's an option for Python) or provide new compiled versions compatible with the Python modules needing the OpenSSL libs or instructions on how to build these.

Note that the hash routines are rarely affected by these OpenSSL bugs. They usually only affect the SSL/TLS protocol parts.

Alternatively, you could make use of our pyOpenSSL distribution, which includes pyOpenSSL and the OpenSSL libs (also for Windows):

http://www.egenix.com/products/python/pyOpenSSL/

We created this to address the problem of having to update OpenSSL rather often. It doesn't support Python 3 yet, but on the plus side, you do get OpenSSL libs which are compiled with the same compiler versions used for the Python.org installers.

-- Marc-Andre Lemburg eGenix.com

Professional Python Services directly from the Source

Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/

More information about the Python-Dev mailing list