mirror of https://github.com/python/cpython
gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727)
Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt
This commit is contained in:
Gregory P. Smith
GitHub
parent
6d92373f50
commit
b41c47cd06
|
|
@ -57,7 +57,7 @@ jobs:
|
|||
variables:
|
||||
testRunTitle: '$(build.sourceBranchName)-linux'
|
||||
testRunPlatform: linux
|
||||
openssl_version: 1.1.1q
|
||||
openssl_version: 1.1.1t
|
||||
|
||||
steps:
|
||||
- template: ./posix-steps.yml
|
||||
|
|
@ -83,7 +83,7 @@ jobs:
|
|||
variables:
|
||||
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
|
||||
testRunPlatform: linux-coverage
|
||||
openssl_version: 1.1.1q
|
||||
openssl_version: 1.1.1t
|
||||
|
||||
steps:
|
||||
- template: ./posix-steps.yml
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ jobs:
|
|||
variables:
|
||||
testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
|
||||
testRunPlatform: linux
|
||||
openssl_version: 1.1.1q
|
||||
openssl_version: 1.1.1t
|
||||
|
||||
steps:
|
||||
- template: ./posix-steps.yml
|
||||
|
|
@ -83,7 +83,7 @@ jobs:
|
|||
variables:
|
||||
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
|
||||
testRunPlatform: linux-coverage
|
||||
openssl_version: 1.1.1q
|
||||
openssl_version: 1.1.1t
|
||||
|
||||
steps:
|
||||
- template: ./posix-steps.yml
|
||||
|
|
|
|||
|
|
@ -176,7 +176,7 @@ jobs:
|
|||
needs: check_source
|
||||
if: needs.check_source.outputs.run_tests == 'true'
|
||||
env:
|
||||
OPENSSL_VER: 1.1.1s
|
||||
OPENSSL_VER: 1.1.1t
|
||||
PYTHONSTRICTEXTENSIONBUILD: 1
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
|
@ -235,7 +235,7 @@ jobs:
|
|||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
openssl_ver: [1.1.1s, 3.0.7, 3.1.0-beta1]
|
||||
openssl_ver: [1.1.1t, 3.0.8, 3.1.0-beta1]
|
||||
env:
|
||||
OPENSSL_VER: ${{ matrix.openssl_ver }}
|
||||
MULTISSL_DIR: ${{ github.workspace }}/multissl
|
||||
|
|
@ -282,7 +282,7 @@ jobs:
|
|||
needs: check_source
|
||||
if: needs.check_source.outputs.run_tests == 'true'
|
||||
env:
|
||||
OPENSSL_VER: 1.1.1s
|
||||
OPENSSL_VER: 1.1.1t
|
||||
PYTHONSTRICTEXTENSIONBUILD: 1
|
||||
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
|
||||
steps:
|
||||
|
|
|
|||
|
|
@ -246,9 +246,9 @@ def library_recipes():
|
|||
|
||||
result.extend([
|
||||
dict(
|
||||
name="OpenSSL 1.1.1s",
|
||||
url="https://www.openssl.org/source/openssl-1.1.1s.tar.gz",
|
||||
checksum='c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa',
|
||||
name="OpenSSL 1.1.1t",
|
||||
url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz",
|
||||
checksum='8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b',
|
||||
buildrecipe=build_universal_openssl,
|
||||
configure=None,
|
||||
install=None,
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
Updated the OpenSSL version used in Windows and macOS binary release builds
|
||||
to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per
|
||||
`the OpenSSL 2023-02-07 security advisory
|
||||
<https://www.openssl.org/news/secadv/20230207.txt>`_.
|
||||
|
|
@ -53,7 +53,7 @@ echo.Fetching external libraries...
|
|||
set libraries=
|
||||
set libraries=%libraries% bzip2-1.0.8
|
||||
if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.3
|
||||
if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1s
|
||||
if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1t
|
||||
set libraries=%libraries% sqlite-3.39.4.0
|
||||
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.13.0
|
||||
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.13.0
|
||||
|
|
@ -77,7 +77,7 @@ echo.Fetching external binaries...
|
|||
|
||||
set binaries=
|
||||
if NOT "%IncludeLibffi%"=="false" set binaries=%binaries% libffi-3.4.3
|
||||
if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1s
|
||||
if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1t
|
||||
if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.13.0
|
||||
if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06
|
||||
|
||||
|
|
|
|||
|
|
@ -74,8 +74,8 @@
|
|||
<libffiDir Condition="$(libffiDir) == ''">$(ExternalsDir)libffi-3.4.3\</libffiDir>
|
||||
<libffiOutDir Condition="$(libffiOutDir) == ''">$(libffiDir)$(ArchName)\</libffiOutDir>
|
||||
<libffiIncludeDir Condition="$(libffiIncludeDir) == ''">$(libffiOutDir)include</libffiIncludeDir>
|
||||
<opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1s\</opensslDir>
|
||||
<opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1s\$(ArchName)\</opensslOutDir>
|
||||
<opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1t\</opensslDir>
|
||||
<opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\</opensslOutDir>
|
||||
<opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir>
|
||||
<nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir>
|
||||
<zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.2.13\</zlibDir>
|
||||
|
|
|
|||
|
|
@ -169,7 +169,7 @@ _lzma
|
|||
Homepage:
|
||||
https://tukaani.org/xz/
|
||||
_ssl
|
||||
Python wrapper for version 1.1.1q of the OpenSSL secure sockets
|
||||
Python wrapper for version 1.1.1t of the OpenSSL secure sockets
|
||||
library, which is downloaded from our binaries repository at
|
||||
https://github.com/python/cpython-bin-deps.
|
||||
|
||||
|
|
|
|||
|
|
@ -46,8 +46,8 @@ OPENSSL_OLD_VERSIONS = [
|
|||
]
|
||||
|
||||
OPENSSL_RECENT_VERSIONS = [
|
||||
"1.1.1s",
|
||||
"3.0.7"
|
||||
"1.1.1t",
|
||||
"3.0.8"
|
||||
]
|
||||
|
||||
LIBRESSL_OLD_VERSIONS = [
|
||||
|
|
|
|||
Loading…
Reference in New Issue