[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Zachary Ware added the comment: So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close. -- stage: - commit review status: open - pending type: - security ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Steve Dower added the comment: The only reason to do it is to help out those who build from source, which I suspect is an incredibly small group on Windows. We'd also be signing up to keep doing it, and implying that it's been tested. I say don't bother. From: Zachary Waremailto:rep...@bugs.python.org Sent: 6/8/2014 11:57 To: Steve Dowermailto:steve.do...@microsoft.com Subject: [issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required Zachary Ware added the comment: So installers are out for 3.1-3.3; should we still update the externals script and pyproject properties for those branches anyway? If not, this issue should be ready to close. -- stage: - commit review status: open - pending type: - security ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ -- status: pending - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Zachary Ware added the comment: Good enough for me. -- resolution: - fixed stage: commit review - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Georg Brandl added the comment: Well, it's entirely logical to follow our own policies :) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Roundup Robot added the comment: New changeset 3dfdcc97250f by Zachary Ware in branch '2.7': Issue #21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h http://hg.python.org/cpython/rev/3dfdcc97250f New changeset 79f3d25caac3 by Zachary Ware in branch '3.4': Issue #21671, CVE-2014-0224: Update the Windows build to openssl-1.0.1h http://hg.python.org/cpython/rev/79f3d25caac3 New changeset a32ced15b883 by Zachary Ware in branch 'default': Issue #21671: Merge with 3.4 http://hg.python.org/cpython/rev/a32ced15b883 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Georg Brandl added the comment: Martin, would you make installers for a new 3.2 and 3.3 release? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Martin v. Löwis added the comment: I'm unsure. I'd rather stick to the established policy. If there are reasons to change the policy, I'd like to know what they are and what a new policy should look like, instead of making a singular exception from the policy. For the record, the reason *for* the policy is that it reduces maintenance burden; I'm unsure whether I still have the environment to build Python 3.2, for example. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
New submission from Chris Lambacher: http://www.openssl.org/news/secadv_20140605.txt All client versions of OpenSSL are vulnerable so all Windows builds of Python are vulnerable to MITM attacks when connecting to vulnerable servers. -- components: Build, Windows messages: 219828 nosy: lambacck priority: normal severity: normal status: open title: CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Zachary Ware added the comment: 2.7, 3.4, and default should be updated; should we do anything for 3.1-3.3 since they will not get any further installers? -- nosy: +loewis, steve.dower, zach.ware ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Ned Deily added the comment: This isn't an issue for releases in security-fix mode (3.1, 3.2, 3.3) since there are not changes to Python involved and we do not provide binary installers for releases in that mode. -- keywords: +security_issue nosy: +benjamin.peterson, larry, ned.deily priority: normal - release blocker versions: -Python 3.1, Python 3.2, Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Donald Stufft added the comment: Might it make sense to special case 3.2 and 3.3 since the last releases of those were not security releases and the security issue is with a bundled library? -- nosy: +dstufft ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Ned Deily added the comment: We can ask for an opinion from the 3.2 and 3.3 release managers (adding Georg) but I doubt that anyone is going to be interested in producing Windows binary installers for those release plus we haven't done this for 3.2.x for recent previous OpenSSL CVE's, have we? -- nosy: +georg.brandl ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21671] CVE-2014-0224: OpenSSL upgrade to 1.0.1h on Windows required
Changes by Alex Gaynor alex.gay...@gmail.com: -- nosy: +alex ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue21671 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
