Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required

[Yates, Andy (CS Houston, TX)]

Thanks for all the good information.  We ended up building _ssl and _hashlib 
and dropping those into the existing Python on our build server.  That seems to 
be working fine. 

>From my perspective ssl libraries are a special case. I think I could handle 
>any other included library having a flaw for weeks or months, but my 
>management and customers are sensitive to releasing software with known ssl 
>vulnerabilities.  For Windows Python it looks like the only option for 
>updating OpenSSL is to build from source. For us that turned out to be no big 
>deal. However, it may be beyond the reach of some, either technically or due 
>to the lack of access to Dev Studio.  There's also some concern that a custom 
>build of Python may not have some secret sauce or complier switch that could 
>cause unexpected behavior.

That said, I'd like to see Python spin within a short period of time after a 
recognized OpenSSL vulnerability is fixed if is statically linked.  This would 
limit exposure to the unsuspecting user who downloads Windows Python from 
Python.org. The next best thing would be to dynamically link to Windows OpenSSL 
DLLs allowing users to drop in which ever version they like.

Thanks again!!

Andy


-Original Message-
From: Python-Dev [mailto:python-dev-bounces+ayates=hp@python.org] On Behalf 
Of Benjamin Peterson
Sent: Tuesday, June 17, 2014 2:07 PM
To: Ned Deily; python-dev@python.org
Subject: Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h 
on Windows required

On Tue, Jun 17, 2014, at 12:03, Ned Deily wrote:
> In article
> <81f84430ce0242e5bfa5b2264777d...@blupr03mb389.namprd03.prod.outlook.c
> om
> >,
>  Steve Dower  wrote:
> > You'll only need to rebuild the _ssl and _hashlib extension modules 
> > with the new OpenSSL version. The easiest way to do this is to build 
> > from source (which has already been updated for 1.0.1h if you use 
> > the externals scripts in Tools\buildbot), and you should just be 
> > able to drop _ssl.pyd and _hashlib.pyd on top of a normal install.
> 
> Should we consider doing a re-spin of the Windows installers for 2.7.7 
> with 1.0.1h?  Or consider doing a 2.7.8 in the near future to address 
> this and various 2.7.7 regressions that have been identified so far 
> (Issues 21652 and 21672)?

I think we should do a 2.7.8 soon to pick up the openssl upgrade and recent CGI 
security fix. I would like to see those two regressions fixed first, though.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/ayates%40hp.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Criticism of execfile() removal in Python3

[Joseph Martinot-Lagarde]

Le 15/06/2014 05:15, Steve Dower a écrit :

So is exec(tokenize.open(file).read()) the actual replacement for
execfile()? Not too bad, but still not obvious (or widely promoted - I'd
never heard of it).

Another way is to open the file in binary, then exec() checks itself if 
an encoding is defined in the file. This is what is used in spyder:


exec(open(file, 'rb').read())

Here is the discussion for reference: 
https://bitbucket.org/spyder-ide/spyderlib/pull-request/3/execution-on-current-spyder-interpreter/diff


This behavior is not indicated in the documentation but is somehow 
confirmed on stackoverflow: 
http://stackoverflow.com/questions/6357361/alternative-to-execfile-in-python-3-2/6357418?noredirect=1#comment30467918_6357418


---
Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce 
que la protection avast! Antivirus est active.
http://www.avast.com


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Criticism of execfile() removal in Python3

[Paul Moore]

On 19 June 2014 20:39, Joseph Martinot-Lagarde
 wrote:
> Another way is to open the file in binary, then exec() checks itself if an
> encoding is defined in the file. This is what is used in spyder:
>
> exec(open(file, 'rb').read())
>
> Here is the discussion for reference:
> https://bitbucket.org/spyder-ide/spyderlib/pull-request/3/execution-on-current-spyder-interpreter/diff

It would be good to document this. Could you open a docs bug to get this added?

Paul
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com