]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 32590d5)
[3.7] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u. (GH-105308)
authorNed Deily <nad@python.org>
Mon, 5 Jun 2023 08:50:00 +0000 (04:50 -0400)
committerGitHub <noreply@github.com>
Mon, 5 Jun 2023 08:50:00 +0000 (04:50 -0400)
.azure-pipelines/ci.yml patch | blob | blame | history
.azure-pipelines/pr.yml patch | blob | blame | history
.github/workflows/build.yml patch | blob | blame | history
Mac/BuildScript/build-installer.py patch | blob | blame | history
Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst [new file with mode: 0644] patch | blob
PCbuild/get_externals.bat patch | blob | blame | history
PCbuild/python.props patch | blob | blame | history
PCbuild/readme.txt patch | blob | blame | history
Tools/ssl/multissltests.py patch | blob | blame | history

diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
index c68d571f70cea35180e17f96c27d43848308115b..ecb0c8e38f40a058f838f97ec181381439754251 100644 (file)
--- a/.azure-pipelines/ci.yml
+++ b/.azure-pipelines/ci.yml
@@ -61,7 +61,7 @@ jobs:
   variables:
     testRunTitle: '$(build.sourceBranchName)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
@@ -118,7 +118,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml
index ba61efe62d6996f89832132a310c4abb0444d7d6..da38a81ae0222ca1e7095be4e9c630b7b143f87f 100644 (file)
--- a/.azure-pipelines/pr.yml
+++ b/.azure-pipelines/pr.yml
@@ -61,7 +61,7 @@ jobs:
   variables:
     testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
@@ -118,7 +118,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1t
+    openssl_version: 1.1.1u
 
   steps:
   - template: ./posix-steps.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cc2e41aad5d1862d308f74422fe87de85ae4a87a..b8ff7ed5109239341f0b2525517e1ba2db66e333 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -163,7 +163,7 @@ jobs:
     needs: check_source
     if: needs.check_source.outputs.run_tests == 'true'
     env:
-      OPENSSL_VER: 1.1.1t
+      OPENSSL_VER: 1.1.1u
     steps:
     - uses: actions/checkout@v2
     - name: Install Dependencies
diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
index 7ba26a738a9e8be8e694f8dff797c224aea2951d..685086036e7c188ac0dd6d1bb73eea4da13a5b3c 100755 (executable)
--- a/Mac/BuildScript/build-installer.py
+++ b/Mac/BuildScript/build-installer.py
@@ -209,9 +209,9 @@ def library_recipes():
 
     result.extend([
           dict(
-              name="OpenSSL 1.1.1t",
-              url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz",
-              checksum='1cfee919e0eac6be62c88c5ae8bcd91e',
+              name="OpenSSL 1.1.1u",
+              url="https://www.openssl.org/source/openssl-1.1.1u.tar.gz",
+              checksum='72f7ba7395f0f0652783ba1089aa0dcc',
               buildrecipe=build_universal_openssl,
               configure=None,
               install=None,
diff --git a/Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst b/Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst
new file mode 100644 (file)
index 0000000..7e08368
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst
@@ -0,0 +1,2 @@
+The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u
+to address several CVEs.
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index 4f23edd45ae403992d5c88ca9705f2398c6836ea..48c15e212bee47fcbc087fa8da3406ee23114ffd 100644 (file)
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -49,7 +49,7 @@ echo.Fetching external libraries...
 
 set libraries=
 set libraries=%libraries%                                       bzip2-1.0.8
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1t
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1u
 set libraries=%libraries%                                       sqlite-3.31.1.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0
@@ -72,7 +72,7 @@ for %%e in (%libraries%) do (
 echo.Fetching external binaries...
 
 set binaries=
-if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1t
+if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1u
 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0
 if NOT "%IncludeSSLSrc%"=="false"  set binaries=%binaries% nasm-2.11.06
 
diff --git a/PCbuild/python.props b/PCbuild/python.props
index 4f198aa44e5f6665cdbabe0462f2d3a78e6cebf7..8fb1c3ee9568c3e93bac9568e3aaf1d6c466dffa 100644 (file)
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -54,8 +54,8 @@
     <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.31.1.0\</sqlite3Dir>
     <bz2Dir Condition="$(bz2Dir) == ''">$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
     <lzmaDir Condition="$(lzmaDir) == ''">$(ExternalsDir)xz-5.2.2\</lzmaDir>
-    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1t\</opensslDir>
-    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\</opensslOutDir>
+    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1u\</opensslDir>
+    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1u\$(ArchName)\</opensslOutDir>
     <opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir>
     <nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir>
     <zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.2.12\</zlibDir>
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index 7c87b7a57994bccbb53b965f9820369822b3371c..d9d54691e11b02e5e10da5c25b4354a86d902c88 100644 (file)
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -165,7 +165,7 @@ _lzma
     Homepage:
         http://tukaani.org/xz/
 _ssl
-    Python wrapper for version 1.1.1t of the OpenSSL secure sockets
+    Python wrapper for version 1.1.1u of the OpenSSL secure sockets
     library, which is downloaded from our binaries repository at
     https://github.com/python/cpython-bin-deps.
 
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 2a4bbf4552cb76441e1ffe47c906606841ed51ef..e697512b329c46760442b9b8dddaeaa343b5a80f 100755 (executable)
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -43,21 +43,17 @@ import tarfile
 log = logging.getLogger("multissl")
 
 OPENSSL_OLD_VERSIONS = [
-    "1.0.2u",
-    "1.1.0l",
 ]
 
 OPENSSL_RECENT_VERSIONS = [
-    "1.1.1t",
-    "3.0.8"
+    "1.1.1u",
+    "3.0.9"
 ]
 
 LIBRESSL_OLD_VERSIONS = [
-    "2.9.2",
 ]
 
 LIBRESSL_RECENT_VERSIONS = [
-    "3.1.0",
 ]
 
 # store files in ../multissl
Mirror of https://github.com/python/cpython.git