From exarkun at twistedmatrix.com  Tue Apr  8 14:04:21 2014
From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com)
Date: Tue, 08 Apr 2014 12:04:21 -0000
Subject: [pyOpenSSL-Users] Security Advisory - CVE-2014-0160
Message-ID: <20140408120421.6674.1500280230.divmod.xquotient.72@top>

Hello,

Yeterday a `security release of OpenSSL`_ was issued, fixing a critical
vulnerability. This vulnerability allows a malicious client or server to 
read
up to 64KB of memory out of the remote machine, potentially compromising 
any
secrets within the process, including things like TLS private 
certificates.

If you use pyOpenSSL as a server *or a client* then it is very likely 
that this issue affects you.

Any machine which is serving traffic over TLS, or which is making 
outgoing TLS
connections should upgrade it's version of OpenSSL immediately.

This issue has been assigned CVE-2014-0160.

A `complete description of the bug is also available`_.

New OpenSSL packages have been issued for the following operating 
systems:

* `Debian`_
* `Ubuntu`_

If you are dynamically linking against OpenSSL (this is the common case 
on POSIX platforms) then it is likely that upgrading your OpenSSL 
library (and restarting services) will address the issue for you.

If you are statically linking against OpenSSL (this is more common on 
Windows) then you will need to recompile pyOpenSSL.

Note that if you are using pyOpenSSL 0.14 then pyOpenSSL is not 
interfacing directly with OpenSSL.  Instead the `cryptography`_ library 
is doing that - but the same static vs dynamic linking guidelines apply 
to your `cryptography`_ installation.

Thanks to Alex Gaynor (whose original notification email I shamelessly 
copied to create this one) and Giovanni Pellerano who suggested I notify 
pyOpenSSL users in the first place and to the security researchers who 
discovered and publicised this vulnerability.

Jean-Paul

.. _`security release of OpenSSL`:
    https://www.openssl.org/news/secadv_20140407.txt
.. _`complete description of the bug is also available`: 
http://heartbleed.com
.. _`Debian`: https://www.debian.org/security/2014/dsa-2896
.. _`Ubuntu`: http://www.ubuntu.com/usn/usn-2165-1/
.. _`cryptography`: https://github.com/pyca/cryptography

From info at egenix.com  Thu Apr 10 22:45:51 2014
From: info at egenix.com (eGenix Team: M.-A. Lemburg)
Date: Thu, 10 Apr 2014 22:45:51 +0200
Subject: [pyOpenSSL-Users] ANN: eGenix pyOpenSSL Distribution 0.13.3.1.0.1.7
Message-ID: <534702FF.6080207@egenix.com>

________________________________________________________________________
ANNOUNCING

                   eGenix.com pyOpenSSL Distribution

                         Version 0.13.3.1.0.1.7


             An easy-to-install and easy-to-use distribution
             of the pyOpenSSL Python interface for OpenSSL -
            available for Windows, Mac OS X and Unix platforms


This announcement is also available on our web-site for online reading:
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.3.1.0.1.7.html

________________________________________________________________________
INTRODUCTION

The eGenix.com pyOpenSSL Distribution includes everything you need to
get started with SSL in Python.

It comes with an easy-to-use installer that includes the most recent
OpenSSL library versions in pre-compiled form, making your application
independent of OS provided OpenSSL libraries:

    http://www.egenix.com/products/python/pyOpenSSL/

pyOpenSSL is an open-source Python add-on that allows writing SSL/TLS-
aware network applications as well as certificate management tools:

    https://launchpad.net/pyopenssl/

OpenSSL is an open-source implementation of the SSL/TLS protocol:

    http://www.openssl.org/

________________________________________________________________________
NEWS

This new release of the eGenix.com pyOpenSSL Distribution updates only
the included OpenSSL version to address a serious bug in
OpenSSL 1.0.1 versions:

New in OpenSSL
--------------

 * Updated included OpenSSL libraries from OpenSSL 1.0.1e to
   1.0.1f. See http://www.openssl.org/news/news.html and
   http://www.openssl.org/news/vulnerabilities.html for a complete
   list of changes, most important:

   - CVE-2014-0160 ("Heartbleed Bug"): A missing bounds check in the
     handling of the TLS heartbeat extension can be used to reveal
     up to 64kB of memory to a connected client or server. This issue
     did not affect versions of OpenSSL prior to 1.0.1. For information,
     also have a look at the Heartbeet Bug website:
     http://heartbleed.com/

As always, we provide binaries that include both pyOpenSSL and the
necessary OpenSSL libraries for all supported platforms:
Windows x86 and x64, Linux x86 and x64, Mac OS X PPC, x86 and x64.

We've also added egg-file distribution versions of our eGenix.com
pyOpenSSL Distribution for Windows, Linux and Mac OS X to the
available download options. These make setups using e.g. zc.buildout
and other egg-file based installers a lot easier.

________________________________________________________________________
DOWNLOADS

The download archives and instructions for installing the package can
be found at:

    http://www.egenix.com/products/python/pyOpenSSL/

________________________________________________________________________
UPGRADING

Before installing this version of pyOpenSSL, please make sure that
you uninstall any previously installed pyOpenSSL version. Otherwise,
you could end up not using the included OpenSSL libs.

_______________________________________________________________________
SUPPORT

Commercial support for these packages is available from eGenix.com.
Please see

    http://www.egenix.com/services/support/

for details about our support offerings.

________________________________________________________________________
MORE INFORMATION

For more information about the eGenix pyOpenSSL Distribution, licensing
and download instructions, please visit our web-site or write to
sales at egenix.com.

Enjoy,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/