[Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required
Ned Deily
nad at acm.org
Tue Jun 17 21:03:40 CEST 2014
In article
<81f84430ce0242e5bfa5b2264777df56 at BLUPR03MB389.namprd03.prod.outlook.com
>,
Steve Dower <Steve.Dower at microsoft.com> wrote:
> You'll only need to rebuild the _ssl and _hashlib extension modules with the
> new OpenSSL version. The easiest way to do this is to build from source
> (which has already been updated for 1.0.1h if you use the externals scripts
> in Tools\buildbot), and you should just be able to drop _ssl.pyd and
> _hashlib.pyd on top of a normal install.
Should we consider doing a re-spin of the Windows installers for 2.7.7
with 1.0.1h? Or consider doing a 2.7.8 in the near future to address
this and various 2.7.7 regressions that have been identified so far
(Issues 21652 and 21672)?
> Aside: I wonder if it's worth changing to dynamically linking to OpenSSL? It
> would make this kind of in-place upgrade easier when people need to do it.
> Any thoughts? (Does OpenSSL even support it?)
OpenSSL is often dynamically linked in Python builds on various other
platforms, for example, on Linux or OS X.
--
Ned Deily,
nad at acm.org
More information about the Python-Dev
mailing list