[Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required (original) (raw)

"Martin v. Löwis" martin at v.loewis.de
Wed Jun 18 11:46:46 CEST 2014

Am 17.06.14 20:27, schrieb Steve Dower:

You'll only need to rebuild the ssl and hashlib extension modules with the new OpenSSL version. The easiest way to do this is to build from source (which has already been updated for 1.0.1h if you use the externals scripts in Tools\buildbot), and you should just be able to drop ssl.pyd and hashlib.pyd on top of a normal install.

Aside: I wonder if it's worth changing to dynamically linking to OpenSSL? It would make this kind of in-place upgrade easier when people need to do it. Any thoughts? (Does OpenSSL even support it?)

We originally considered using prebuilt binaries, such as

http://slproweb.com/products/Win32OpenSSL.html

This is tricky because of CRT issues: they will likely bind to a different version of the CRT, and a) it is unclear whether this would reliably work, and b) requires the Python installer to include a different version of the CRT, which we would not have a license to include (as the CRT redistribution license only applies to the version of the CRT that Python was built with)

There was also the desire to use the same compiler for all code distributed, to use the same optimizations on all of it. In addition, for OpenSSL, there is compile time configuration wrt. to the algorithms built into the binaries where Python's build deviates from the default.

Having a separate project to build a DLL within pcbuild.sln was never implemented. Doing so possibly increases the risk of DLL hell, if Python picks up the wrong version of OpenSSL (e.g. if Python gets embedded into some other application).

Regards, Martin

More information about the Python-Dev mailing list