gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt

---------

Co-authored-by: Gregory P. Smith <greg@krypto.org>

diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml
index 133699d465358d3204572d8e2ae548a2a7cbb1c4..92f3f41a31ad0a039fcfd7abfece16eb7e2ecdac 100644 (file)
--- a/.azure-pipelines/ci.yml
+++ b/.azure-pipelines/ci.yml
@@ -57,7 +57,7 @@ jobs:
   variables:
     testRunTitle: '$(build.sourceBranchName)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1q
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1q
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml
index d84684e4c0302abf4a3436421035e76e81a27d02..654d32540c2a41c066a556a4ed700f6abcdd6b72 100644 (file)
--- a/.azure-pipelines/pr.yml
+++ b/.azure-pipelines/pr.yml
@@ -57,7 +57,7 @@ jobs:
   variables:
     testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
     testRunPlatform: linux
-    openssl_version: 1.1.1q
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
   variables:
     testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
     testRunPlatform: linux-coverage
-    openssl_version: 1.1.1q
+    openssl_version: 1.1.1t
 
   steps:
   - template: ./posix-steps.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e47f0eb51bce80b49712a767ebd1183fd678735c..9f039d71b3c273c5b5bc3aa8378372c898941746 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -196,7 +196,7 @@ jobs:
     needs: check_source
     if: needs.check_source.outputs.run_tests == 'true'
     env:
-      OPENSSL_VER: 1.1.1q
+      OPENSSL_VER: 1.1.1t
       PYTHONSTRICTEXTENSIONBUILD: 1
     steps:
     - uses: actions/checkout@v3
@@ -240,7 +240,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        openssl_ver: [1.1.1q, 3.0.5]
+        openssl_ver: [1.1.1t, 3.0.8, 3.1.0-beta1]
     env:
       OPENSSL_VER: ${{ matrix.openssl_ver }}
       MULTISSL_DIR: ${{ github.workspace }}/multissl

diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
index 73a725cb44f51740ea87abe6d14d21bd6efd452d..c3f92e97611da2d83e92099a42ec96e894ab0269 100755 (executable)
--- a/Mac/BuildScript/build-installer.py
+++ b/Mac/BuildScript/build-installer.py
@@ -246,9 +246,9 @@ def library_recipes():
 
     result.extend([
           dict(
-              name="OpenSSL 1.1.1s",
-              url="https://www.openssl.org/source/openssl-1.1.1s.tar.gz",
-              checksum='c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa',
+              name="OpenSSL 1.1.1t",
+              url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz",
+              checksum='8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b',
               buildrecipe=build_universal_openssl,
               configure=None,
               install=None,

diff --git a/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst b/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst
new file mode 100644 (file)
index 0000000..43acc82
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst
@@ -0,0 +1,4 @@
+Updated the OpenSSL version used in Windows and macOS binary release builds
+to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per
+`the OpenSSL 2023-02-07 security advisory
+<https://www.openssl.org/news/secadv/20230207.txt>`_.

diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index 6452bbdd77602d038a751f4ad976a85052c0f3de..f700b95392281f030b1c7a43fd2bc16cafb1313f 100644 (file)
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -53,7 +53,7 @@ echo.Fetching external libraries...
 set libraries=
 set libraries=%libraries%                                       bzip2-1.0.8
 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries%  libffi-3.3.0
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1s
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1t
 set libraries=%libraries%                                       sqlite-3.39.4.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.12.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.12.0
@@ -77,7 +77,7 @@ echo.Fetching external binaries...
 
 set binaries=
 if NOT "%IncludeLibffi%"=="false"  set binaries=%binaries% libffi-3.3.0
-if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1s
+if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1t
 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.12.0
 if NOT "%IncludeSSLSrc%"=="false"  set binaries=%binaries% nasm-2.11.06
 

diff --git a/PCbuild/python.props b/PCbuild/python.props
index 1f9b0e7736344afe64f377553eda75b4fbca1a09..98dbf7486d5d55ec03321b4c753935b00d60373d 100644 (file)
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -70,8 +70,8 @@
     <libffiDir Condition="$(libffiDir) == ''">$(ExternalsDir)libffi-3.3.0\</libffiDir>
     <libffiOutDir Condition="$(libffiOutDir) == ''">$(libffiDir)$(ArchName)\</libffiOutDir>
     <libffiIncludeDir Condition="$(libffiIncludeDir) == ''">$(libffiOutDir)include</libffiIncludeDir>
-    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1s\</opensslDir>
-    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1s\$(ArchName)\</opensslOutDir>
+    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1t\</opensslDir>
+    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\</opensslOutDir>
     <opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir>
     <nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir>
     <zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.2.13\</zlibDir>

diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index 155212625cccb1a051fb89da73b89796182184e6..d39a0708a10a0dedcdd8cdcb2ca881d970bdc059 100644 (file)
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -167,7 +167,7 @@ _lzma
     Homepage:
         https://tukaani.org/xz/
 _ssl
-    Python wrapper for version 1.1.1q of the OpenSSL secure sockets
+    Python wrapper for version 1.1.1t of the OpenSSL secure sockets
     library, which is downloaded from our binaries repository at
     https://github.com/python/cpython-bin-deps.
 

diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 91d6f558bc516f2641a50e92372ed55a2d4c2e3d..27e9032395fd24c090e5759079e171ba0fc1b720 100755 (executable)
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -47,8 +47,8 @@ OPENSSL_OLD_VERSIONS = [
 ]
 
 OPENSSL_RECENT_VERSIONS = [
-    "1.1.1q",
-    "3.0.5"
+    "1.1.1t",
+    "3.0.8"
 ]
 
 LIBRESSL_OLD_VERSIONS = [