[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Zachary Ware added the comment: Good enough for me. -- resolution: -> fixed stage: commit review -> resolved status: open -> closed ___ Python tracker ___ __

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

__ From: Zachary Ware<mailto:rep...@bugs.python.org> Sent: ‎6/‎8/‎2014 11:57 To: Steve Dower<mailto:steve.do...@microsoft.com> Subject: [issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required Zachary Ware added the comment: So installers are out for 3.1-3.3;

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Zachary Ware added the comment: So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close. -- stage: -> commit review status: open -> pending type: -> security _

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Georg Brandl added the comment: Well, it's entirely logical to follow our own policies :) -- ___ Python tracker ___ ___ Python-bugs-li

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Martin v. Löwis added the comment: I'm unsure. I'd rather stick to the established policy. If there are reasons to change the policy, I'd like to know what they are and what a new policy should look like, instead of making a singular exception from the policy. For the record, the reason *for*

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Georg Brandl added the comment: Martin, would you make installers for a new 3.2 and 3.3 release? -- ___ Python tracker ___ ___ Python-

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Roundup Robot added the comment: New changeset 3dfdcc97250f by Zachary Ware in branch '2.7': Issue #21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h http://hg.python.org/cpython/rev/3dfdcc97250f New changeset 79f3d25caac3 by Zachary Ware in branch '3.4': Issue #21671, CVE-2014-02

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Changes by Alex Gaynor : -- nosy: +alex ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Ned Deily added the comment: We can ask for an opinion from the 3.2 and 3.3 release managers (adding Georg) but I doubt that anyone is going to be interested in producing Windows binary installers for those release plus we haven't done this for 3.2.x for recent previous OpenSSL CVE's, have we?

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Donald Stufft added the comment: Might it make sense to special case 3.2 and 3.3 since the last releases of those were not security releases and the security issue is with a bundled library? -- nosy: +dstufft ___ Python tracker

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Ned Deily added the comment: This isn't an issue for releases in security-fix mode (3.1, 3.2, 3.3) since there are not changes to Python involved and we do not provide binary installers for releases in that mode. -- keywords: +security_issue nosy: +benjamin.peterson, larry, ned.deily p

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

Zachary Ware added the comment: 2.7, 3.4, and default should be updated; should we do anything for 3.1-3.3 since they will not get any further installers? -- nosy: +loewis, steve.dower, zach.ware ___ Python tracker

[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required

New submission from Chris Lambacher: http://www.openssl.org/news/secadv_20140605.txt All client versions of OpenSSL are vulnerable so all Windows builds of Python are vulnerable to MITM attacks when connecting to vulnerable servers. -- components: Build, Windows messages: 219828 nosy: