Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u #105174

Merged
merged 7 commits into from
Jun 1, 2023

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented May 31, 2023

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py file appears to have already been updated.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py file appears to have already been
updated.
@gpshead
Copy link
Member Author

gpshead commented May 31, 2023

#105129 does more of this, so anything missing can probably just be moved over into that. @ned-deily

@ned-deily
Copy link
Member

@gpshead Sorry I didn't ping you earlier. I did not attempt to do the Windows changes. I figured that should be in a separate PR since the versions don't always match up. But feel free to use either PR.

@zooba
Copy link
Member

zooba commented May 31, 2023

I'm doing updated binaries for Windows now. I'll let you know when they're done

@zooba
Copy link
Member

zooba commented May 31, 2023

Binaries are up now. I'll hit rerun

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vs https://github.com/python/cpython/pull/105129/files I manually reverted edits that removed definitions from this file as for the purposes of backporting, I don't want names to disappear. some were FIPS related and I'm blindly guessing that those may be special to some vendor openssl builds without digging into the history? regardless there is no harm in keeping names, everything is #ifdef based.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm adding this, generated from 3.1.1 but do not intend to backport it beyond 3.12 (and if it causes anyone trouble in 3.12-land, we can just revert it there or re-add whatever is missing).

diff it vs the _300 file, you'll see the things missing that I avoided removing from the _300 one.

@gpshead gpshead requested review from Yhg1s and ned-deily June 1, 2023 03:47
@gpshead
Copy link
Member Author

gpshead commented Jun 1, 2023

many backport labels removed as older backports will be generated from the 3.11 backport PR and successively chained ones as many backport edits will be the same.

@gpshead gpshead merged commit ede89af into python:main Jun 1, 2023
@miss-islington
Copy link
Contributor

Thanks @gpshead for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11, 3.12.
🐍🍒⛏🤖

@gpshead gpshead deleted the openssl-1.1.1u branch June 1, 2023 16:42
@miss-islington
Copy link
Contributor

Sorry, @gpshead, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker ede89af605b1c0442353435ad22195c16274f65d 3.11

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 1, 2023
…onGH-105174)

Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

backports of this prior to 3.12 will not include the openssl 3.1 header.
(cherry picked from commit ede89af)

Co-authored-by: Gregory P. Smith <[email protected]>
@bedevere-bot
Copy link

GH-105199 is a backport of this pull request to the 3.12 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.12 bug and security fixes label Jun 1, 2023
gpshead added a commit that referenced this pull request Jun 1, 2023
…105174) (#105199)

gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174)

Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

backports of this prior to 3.12 will not include the openssl 3.1 header.
(cherry picked from commit ede89af)

Co-authored-by: Gregory P. Smith [Google] <[email protected]>
gpshead added a commit to gpshead/cpython that referenced this pull request Jun 1, 2023
pythonGH-105174)

Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

backports of this prior to 3.12 will not include the openssl 3.1 header..
(cherry picked from commit ede89af)

Co-authored-by: Gregory P. Smith <[email protected]>
@bedevere-bot
Copy link

GH-105200 is a backport of this pull request to the 3.11 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.11 only security fixes label Jun 1, 2023
gpshead added a commit that referenced this pull request Jun 1, 2023
…105174)  (#105200)

Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

(cherry picked from commit ede89af)
gpshead added a commit to gpshead/cpython that referenced this pull request Jun 1, 2023
…L 1.1.1u (pythonGH-105174)  (pythonGH-105200)

Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

(cherry picked from commit ede89af).
(cherry picked from commit a5d2b54)

Co-authored-by: Gregory P. Smith <[email protected]>
gpshead added a commit to gpshead/cpython that referenced this pull request Jun 1, 2023
…pythonGH-105174) (python#105200)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)
ambv pushed a commit that referenced this pull request Jun 5, 2023
…05174) (GH-105200) (#105205)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)

Co-authored-by: Ned Deily <[email protected]>
ambv pushed a commit that referenced this pull request Jun 5, 2023
…105174) (GH-105200) (#105204)

Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

(cherry picked from commit ede89af).
(cherry picked from commit a5d2b54)
(cherry picked from commit f90d3f6)

Co-authored-by: Gregory P. Smith <[email protected]>
ambv pushed a commit to ambv/cpython that referenced this pull request Jun 6, 2023
…1.1.1u (pythonGH-105174) (pythonGH-105200) (pythonGH-105205)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)

(cherry picked from commit e15de14)

Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Ned Deily <[email protected]>
ambv added a commit that referenced this pull request Jun 6, 2023
…05174) (GH-105200) (GH-105205) (#105370)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)
(cherry picked from commit e15de14)

Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Ned Deily <[email protected]>
carlosroman added a commit to DataDog/cpython that referenced this pull request Jun 22, 2023
* Post 3.8.16

* [3.8] Update copyright years to 2023. (pythongh-100852)

* [3.8] Update copyright years to 2023. (pythongh-100848).
(cherry picked from commit 11f9932)

Co-authored-by: Benjamin Peterson <[email protected]>

* Update additional copyright years to 2023.

Co-authored-by: Ned Deily <[email protected]>

* [3.8] Update copyright year in README (pythonGH-100863) (pythonGH-100867)

(cherry picked from commit 30a6cc4)

Co-authored-by: Ned Deily <[email protected]>
Co-authored-by: HARSHA VARDHAN <[email protected]>

* [3.8] Correct CVE-2020-10735 documentation (pythonGH-100306) (python#100698)

(cherry picked from commit 1cf3d78)
(cherry picked from commit 88fe8d7)

Co-authored-by: Jeremy Paige <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>

* [3.8] Bump Azure Pipelines to ubuntu-22.04 (pythonGH-101089) (python#101215)

(cherry picked from commit c22a55c)

Co-authored-by: Hugo van Kemenade <[email protected]>

* [3.8] pythongh-100180: Update Windows installer to OpenSSL 1.1.1s (pythonGH-100903) (python#101258)

* pythongh-101422: (docs) TarFile default errorlevel argument is 1, not 0 (pythonGH-101424)

(cherry picked from commit ea23271)

Co-authored-by: Owain Davies <[email protected]>

* [3.8] pythongh-95778: add doc missing in some places (pythonGH-100627) (python#101630)

(cherry picked from commit 4652182)

* [3.8] pythongh-101283: Improved fallback logic for subprocess with shell=True on Windows (pythonGH-101286) (python#101710)

Co-authored-by: Oleg Iarygin <[email protected]>
Co-authored-by: Steve Dower <[email protected]>

* [3.8] pythongh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI i… (python#102095)

[3.8] pythongh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (pythongh-102079)

* [3.8] pythonGH-102306 Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK (pythonGH-102307)

[3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.

* [3.8] pythongh-101726: Update the OpenSSL version to 1.1.1t (pythonGH-101727) (pythonGH-101752)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt

Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Ned Deily <[email protected]>

* [3.8] pythongh-102627: Replace address pointing toward malicious web page (pythonGH-102630) (pythonGH-102667)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics <[email protected]>
Co-authored-by: C.A.M. Gerlach <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>

* [3.8] pythongh-101997: Update bundled pip version to 23.0.1 (pythonGH-101998). (python#102244)

(cherry picked from commit 89d9ff0)

* [3.8] pythongh-102950: Implement PEP 706 – Filter for tarfile.extractall (pythonGH-102953) (python#104548)

Backport of c8c3956

* [3.8] pythongh-99889: Fix directory traversal security flaw in uu.decode() (pythonGH-104096) (python#104332)

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <[email protected]>

* [3.8] pythongh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (pythonGH-104067) (python#104121)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

(cherry picked from commit c7c3a60)

Co-authored-by: Ethan Furman <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Jelle Zijlstra <[email protected]>

* [3.8] pythongh-103935: Use `io.open_code()` when executing code in trace and profile modules (pythonGH-103947) (python#103954)

Co-authored-by: Tian Gao <[email protected]>

* [3.8] pythongh-68966: fix versionchanged in docs (pythonGH-105299)

* [3.8] Update GitHub CI workflow for macOS. (pythonGH-105302)

* [3.8] pythongh-105184: document that marshal functions can fail and need to be checked with PyErr_Occurred (pythonGH-105185) (python#105222)

(cherry picked from commit ee26ca1)

Co-authored-by: Irit Katriel <[email protected]>

* [3.8] pythongh-102153: Start stripping C0 control and space chars in `urlsplit` (pythonGH-102508) (pythonGH-104575) (pythonGH-104592) (python#104593) (python#104895)

`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit pythonGH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).

I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport.  (people will see
that in the mainline /3/ docs)

(cherry picked from commit d7f8a5f)
(cherry picked from commit 2f630e1)
(cherry picked from commit 610cc0a)
(cherry picked from commit f48a96a)

Co-authored-by: Miss Islington (bot) <[email protected]>
Co-authored-by: Illia Volochii <[email protected]>
Co-authored-by: Gregory P. Smith [Google] <[email protected]>

* [3.8] pythongh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (pythonGH-105174) (pythonGH-105200) (pythonGH-105205) (python#105370)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)
(cherry picked from commit e15de14)

Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Ned Deily <[email protected]>

* Python 3.8.17

* Post 3.8.17

* Updated CI to build 3.8.17

---------

Co-authored-by: Łukasz Langa <[email protected]>
Co-authored-by: Benjamin Peterson <[email protected]>
Co-authored-by: Ned Deily <[email protected]>
Co-authored-by: Miss Islington (bot) <[email protected]>
Co-authored-by: HARSHA VARDHAN <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Jeremy Paige <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>
Co-authored-by: Steve Dower <[email protected]>
Co-authored-by: Owain Davies <[email protected]>
Co-authored-by: Éric <[email protected]>
Co-authored-by: Oleg Iarygin <[email protected]>
Co-authored-by: Steve Dower <[email protected]>
Co-authored-by: Dong-hee Na <[email protected]>
Co-authored-by: Blind4Basics <[email protected]>
Co-authored-by: C.A.M. Gerlach <[email protected]>
Co-authored-by: Pradyun Gedam <[email protected]>
Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Sam Carroll <[email protected]>
Co-authored-by: Ethan Furman <[email protected]>
Co-authored-by: Jelle Zijlstra <[email protected]>
Co-authored-by: Tian Gao <[email protected]>
Co-authored-by: Irit Katriel <[email protected]>
Co-authored-by: stratakis <[email protected]>
Co-authored-by: Illia Volochii <[email protected]>
glebfm pushed a commit to glebfm/cpython that referenced this pull request Jul 30, 2023
…on#105174)

Upgrade builds to OpenSSL 1.1.1u.

This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.

The Mac/BuildScript/build-installer.py was already updated.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9, and adds a new _ssl_data_31.h file from 3.1.1 along with the ssl.c code to use it.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

backports of this prior to 3.12 will not include the openssl 3.1 header.

(cherry picked from commit ede89af)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Development

Successfully merging this pull request may close these issues.

5 participants