From 417ac32e7dba077a8a130aac38d2b8e4af9e9ae5 Mon Sep 17 00:00:00 2001 From: Ned Deily Date: Mon, 5 Jun 2023 04:50:00 -0400 Subject: [PATCH] [3.7] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u. (GH-105308) --- .azure-pipelines/ci.yml | 4 ++-- .azure-pipelines/pr.yml | 4 ++-- .github/workflows/build.yml | 2 +- Mac/BuildScript/build-installer.py | 6 +++--- .../2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst | 2 ++ PCbuild/get_externals.bat | 4 ++-- PCbuild/python.props | 4 ++-- PCbuild/readme.txt | 2 +- Tools/ssl/multissltests.py | 8 ++------ 9 files changed, 17 insertions(+), 19 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst diff --git a/.azure-pipelines/ci.yml b/.azure-pipelines/ci.yml index c68d571f70cea3..ecb0c8e38f40a0 100644 --- a/.azure-pipelines/ci.yml +++ b/.azure-pipelines/ci.yml @@ -61,7 +61,7 @@ jobs: variables: testRunTitle: '$(build.sourceBranchName)-linux' testRunPlatform: linux - openssl_version: 1.1.1t + openssl_version: 1.1.1u steps: - template: ./posix-steps.yml @@ -118,7 +118,7 @@ jobs: variables: testRunTitle: '$(Build.SourceBranchName)-linux-coverage' testRunPlatform: linux-coverage - openssl_version: 1.1.1t + openssl_version: 1.1.1u steps: - template: ./posix-steps.yml diff --git a/.azure-pipelines/pr.yml b/.azure-pipelines/pr.yml index ba61efe62d6996..da38a81ae0222c 100644 --- a/.azure-pipelines/pr.yml +++ b/.azure-pipelines/pr.yml @@ -61,7 +61,7 @@ jobs: variables: testRunTitle: '$(system.pullRequest.TargetBranch)-linux' testRunPlatform: linux - openssl_version: 1.1.1t + openssl_version: 1.1.1u steps: - template: ./posix-steps.yml @@ -118,7 +118,7 @@ jobs: variables: testRunTitle: '$(Build.SourceBranchName)-linux-coverage' testRunPlatform: linux-coverage - openssl_version: 1.1.1t + openssl_version: 1.1.1u steps: - template: ./posix-steps.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc2e41aad5d186..b8ff7ed5109239 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -163,7 +163,7 @@ jobs: needs: check_source if: needs.check_source.outputs.run_tests == 'true' env: - OPENSSL_VER: 1.1.1t + OPENSSL_VER: 1.1.1u steps: - uses: actions/checkout@v2 - name: Install Dependencies diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py index 7ba26a738a9e8b..685086036e7c18 100755 --- a/Mac/BuildScript/build-installer.py +++ b/Mac/BuildScript/build-installer.py @@ -209,9 +209,9 @@ def library_recipes(): result.extend([ dict( - name="OpenSSL 1.1.1t", - url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz", - checksum='1cfee919e0eac6be62c88c5ae8bcd91e', + name="OpenSSL 1.1.1u", + url="https://www.openssl.org/source/openssl-1.1.1u.tar.gz", + checksum='72f7ba7395f0f0652783ba1089aa0dcc', buildrecipe=build_universal_openssl, configure=None, install=None, diff --git a/Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst b/Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst new file mode 100644 index 00000000000000..7e0836879e4f81 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2023-06-05-04-07-52.gh-issue-103142.GLWDMX.rst @@ -0,0 +1,2 @@ +The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u +to address several CVEs. diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index 4f23edd45ae403..48c15e212bee47 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -49,7 +49,7 @@ echo.Fetching external libraries... set libraries= set libraries=%libraries% bzip2-1.0.8 -if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1t +if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-1.1.1u set libraries=%libraries% sqlite-3.31.1.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0 @@ -72,7 +72,7 @@ for %%e in (%libraries%) do ( echo.Fetching external binaries... set binaries= -if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1t +if NOT "%IncludeSSL%"=="false" set binaries=%binaries% openssl-bin-1.1.1u if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.9.0 if NOT "%IncludeSSLSrc%"=="false" set binaries=%binaries% nasm-2.11.06 diff --git a/PCbuild/python.props b/PCbuild/python.props index 4f198aa44e5f66..8fb1c3ee9568c3 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -54,8 +54,8 @@ $(ExternalsDir)sqlite-3.31.1.0\ $(ExternalsDir)bzip2-1.0.8\ $(ExternalsDir)xz-5.2.2\ - $(ExternalsDir)openssl-1.1.1t\ - $(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\ + $(ExternalsDir)openssl-1.1.1u\ + $(ExternalsDir)openssl-bin-1.1.1u\$(ArchName)\ $(opensslOutDir)include $(ExternalsDir)\nasm-2.11.06\ $(ExternalsDir)\zlib-1.2.12\ diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index 7c87b7a57994bc..d9d54691e11b02 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -165,7 +165,7 @@ _lzma Homepage: http://tukaani.org/xz/ _ssl - Python wrapper for version 1.1.1t of the OpenSSL secure sockets + Python wrapper for version 1.1.1u of the OpenSSL secure sockets library, which is downloaded from our binaries repository at https://github.com/python/cpython-bin-deps. diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py index 2a4bbf4552cb76..e697512b329c46 100755 --- a/Tools/ssl/multissltests.py +++ b/Tools/ssl/multissltests.py @@ -43,21 +43,17 @@ log = logging.getLogger("multissl") OPENSSL_OLD_VERSIONS = [ - "1.0.2u", - "1.1.0l", ] OPENSSL_RECENT_VERSIONS = [ - "1.1.1t", - "3.0.8" + "1.1.1u", + "3.0.9" ] LIBRESSL_OLD_VERSIONS = [ - "2.9.2", ] LIBRESSL_RECENT_VERSIONS = [ - "3.1.0", ] # store files in ../multissl