We have been made aware that the code signing certificates used for our 3.12.8 and 3.13.1 releases on Windows may have been used to sign malicious code. As a precautionary measure, the certificate has been revoked, which may result in Windows warning about or refusing to execute these versions of Python. Additionally we’ve rotated all secrets related to code signing for Windows.
At this point there is also no indication that CPython build infrastructure or signing has been compromised after auditing the artifacts and build processes for the mentioned Python releases. Our signing infrastructure generates new certificates frequently, and so these are the only affected releases (see the explanation at the end of https://www.python.org/downloads/). There are no known issues with those releases, but the certificate has been revoked to help reduce the risk of malicious code hiding behind our reputation. As a workaround, we suggest updating to 3.12.10 or 3.13.7. At this stage, no further information is available, and the investigation into whether, and how, our certificate was misused is ongoing. We were already following secure practices for handling code signing certificates, and have taken additional steps to ensure that our infrastructure is not persistently compromised. We will provide updates on this thread as they become available. Please see the thread on discuss.python.org for more information or if you have questions: https://discuss.python.org/t/windows-code-signing-certificates-for-python-3-12-8-3-13-1-revoked/103356
_______________________________________________ Security-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/security-announce.python.org Member address: [email protected]
