[3.7] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101753)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>

diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
index 3a12fe4bfa437600739231f9ca0e378d659eb5a9..c68d571f70cea35180e17f96c27d43848308115b 100644 (file)
--- a/.azure-pipelines/ci.yml
+++ b/.azure-pipelines/ci.yml
@@ -61,7 +61,7 @@ jobs:
   variables:
     testRunTitle: '$(build.sourceBranchName)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml
@@ -118,7 +118,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml
index 91607b931a360ebb1fd860907ed4333a10c7f826..ba61efe62d6996f89832132a310c4abb0444d7d6 100644 (file)
--- a/.azure-pipelines/pr.yml
+++ b/.azure-pipelines/pr.yml
@@ -61,7 +61,7 @@ jobs:
   variables:
     testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml
@@ -118,7 +118,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1b1951ddb1af9462d9b5cb68bc8a541a5dfb8c71..a1f63747aa2afa78ac4c4f183abb50849e9ccc15 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -142,7 +142,7 @@ jobs:
     needs: check_source
     if: needs.check_source.outputs.run_tests == 'true'
     env:
-      OPENSSL_VER: 1.1.1n
+      OPENSSL_VER: 1.1.1t
     steps:
     - uses: actions/checkout@v2
     - name: Install Dependencies

diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
index 76078dcd22c3910399df30becba890e949c273d0..7ba26a738a9e8be8e694f8dff797c224aea2951d 100755 (executable)
--- a/Mac/BuildScript/build-installer.py
+++ b/Mac/BuildScript/build-installer.py
@@ -209,9 +209,9 @@ def library_recipes():
 
     result.extend([
           dict(
-              name="OpenSSL 1.1.1n",
-              url="https://www.openssl.org/source/openssl-1.1.1n.tar.gz",
-              checksum='2aad5635f9bb338bc2c6b7d19cbc9676',
+              name="OpenSSL 1.1.1t",
+              url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz",
+              checksum='1cfee919e0eac6be62c88c5ae8bcd91e',
               buildrecipe=build_universal_openssl,
               configure=None,
               install=None,

diff --git a/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst b/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst
new file mode 100644 (file)
index 0000000..43acc82
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst
@@ -0,0 +1,4 @@
+Updated the OpenSSL version used in Windows and macOS binary release builds
+to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per
+`the OpenSSL 2023-02-07 security advisory
+<https://www.openssl.org/news/secadv/20230207.txt>`_.

diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index 8f7a6aae7833efd0485595bb17d265c8657e3647..4f23edd45ae403992d5c88ca9705f2398c6836ea 100644 (file)
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -49,7 +49,7 @@ echo.Fetching external libraries...
 
 set libraries=
 set libraries=%libraries%                                       bzip2-1.0.8
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1s
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1t
 set libraries=%libraries%                                       sqlite-3.31.1.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0
@@ -72,7 +72,7 @@ for %%e in (%libraries%) do (
 echo.Fetching external binaries...
 
 set binaries=
-if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1s
+if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1t
 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0
 if NOT "%IncludeSSLSrc%"=="false"  set binaries=%binaries% nasm-2.11.06
 

diff --git a/PCbuild/python.props b/PCbuild/python.props
index 53d106935b5d5dec1da2508a1d723a4dfa4c26c7..4f198aa44e5f6665cdbabe0462f2d3a78e6cebf7 100644 (file)
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -46,15 +46,22 @@
     <ExternalsDir>$(EXTERNALS_DIR)</ExternalsDir>
     <ExternalsDir Condition="$(ExternalsDir) == ''">$([System.IO.Path]::GetFullPath(`$(PySourcePath)externals`))</ExternalsDir>
     <ExternalsDir Condition="!HasTrailingSlash($(ExternalsDir))">$(ExternalsDir)\</ExternalsDir>
-    <sqlite3Dir>$(ExternalsDir)sqlite-3.31.1.0\</sqlite3Dir>
-    <bz2Dir>$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
-    <lzmaDir>$(ExternalsDir)xz-5.2.2\</lzmaDir>
-    <opensslDir>$(ExternalsDir)openssl-1.1.1s\</opensslDir>
-    <opensslOutDir>$(ExternalsDir)openssl-bin-1.1.1s\$(ArchName)\</opensslOutDir>
-    <opensslIncludeDir>$(opensslOutDir)include</opensslIncludeDir>
-    <nasmDir>$(ExternalsDir)\nasm-2.11.06\</nasmDir>
-    <zlibDir>$(ExternalsDir)\zlib-1.2.12\</zlibDir>
-    
+  </PropertyGroup>
+
+  <Import Project="$(ExternalProps)" Condition="$(ExternalProps) != '' and Exists('$(ExternalProps)')" />
+
+  <PropertyGroup>
+    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.31.1.0\</sqlite3Dir>
+    <bz2Dir Condition="$(bz2Dir) == ''">$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
+    <lzmaDir Condition="$(lzmaDir) == ''">$(ExternalsDir)xz-5.2.2\</lzmaDir>
+    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1t\</opensslDir>
+    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\</opensslOutDir>
+    <opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir>
+    <nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir>
+    <zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.2.12\</zlibDir>
+  </PropertyGroup>
+
+  <PropertyGroup>
     <!-- Suffix for all binaries when building for debug -->
     <PyDebugExt Condition="'$(PyDebugExt)' == '' and $(Configuration) == 'Debug'">_d</PyDebugExt>
     

diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index 5e57a9590cb6b4ed7f82216cbe54c403338e6bda..7c87b7a57994bccbb53b965f9820369822b3371c 100644 (file)
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -165,7 +165,7 @@ _lzma
     Homepage:
         http://tukaani.org/xz/
 _ssl
-    Python wrapper for version 1.1.1c of the OpenSSL secure sockets
+    Python wrapper for version 1.1.1t of the OpenSSL secure sockets
     library, which is downloaded from our binaries repository at
     https://github.com/python/cpython-bin-deps.
 

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index dc74f8d401ee7c79cc34577e7d13b0a9ea18a0ab..2a4bbf4552cb76441e1ffe47c906606841ed51ef 100755 (executable)
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -48,8 +48,8 @@ OPENSSL_OLD_VERSIONS = [
 ]
 
 OPENSSL_RECENT_VERSIONS = [
-    "1.1.1n",
-    # "3.0.0-alpha2"
+    "1.1.1t",
+    "3.0.8"
 ]
 
 LIBRESSL_OLD_VERSIONS = [