[Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required (original) (raw)

Steve Dower Steve.Dower at microsoft.com
Wed Jun 18 15:07:02 CEST 2014

• Previous message: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
• Next message: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yeah, the fact that it really has to be our own copy of the DLL negates the advantage. If someone can rebuild that, they could rebuild the modules that statically link it.

Cheers, Steve

Top-posted from my Windows Phone

From: Martin v. Löwis<mailto:martin at v.loewis.de> Sent: ‎6/‎18/‎2014 2:46 To: Steve Dower<mailto:Steve.Dower at microsoft.com>; Yates, Andy (CS Houston, TX)<mailto:ayates at hp.com>; Python-Dev at python.org<mailto:Python-Dev at python.org> Subject: Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required

Am 17.06.14 20:27, schrieb Steve Dower:

You'll only need to rebuild the ssl and hashlib extension modules with the new OpenSSL version. The easiest way to do this is to build from source (which has already been updated for 1.0.1h if you use the externals scripts in Tools\buildbot), and you should just be able to drop ssl.pyd and hashlib.pyd on top of a normal install.

Aside: I wonder if it's worth changing to dynamically linking to OpenSSL? It would make this kind of in-place upgrade easier when people need to do it. Any thoughts? (Does OpenSSL even support it?)

We originally considered using prebuilt binaries, such as

http://slproweb.com/products/Win32OpenSSL.html

This is tricky because of CRT issues: they will likely bind to a different version of the CRT, and a) it is unclear whether this would reliably work, and b) requires the Python installer to include a different version of the CRT, which we would not have a license to include (as the CRT redistribution license only applies to the version of the CRT that Python was built with)

There was also the desire to use the same compiler for all code distributed, to use the same optimizations on all of it. In addition, for OpenSSL, there is compile time configuration wrt. to the algorithms built into the binaries where Python's build deviates from the default.

Having a separate project to build a DLL within pcbuild.sln was never implemented. Doing so possibly increases the risk of DLL hell, if Python picks up the wrong version of OpenSSL (e.g. if Python gets embedded into some other application).

Regards, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20140618/d9dca85e/attachment.html>

• Previous message: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
• Next message: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list