Skip to content

Commit a5d2b54

Browse files
gpsheadgpshead
authored
[3.11] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (#105200)
Upgrade builds to OpenSSL 1.1.1u. This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t. The Mac/BuildScript/build-installer.py was already updated. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af)
1 parent 3b0747a commit a5d2b54

File tree

11 files changed

+185
-16
lines changed

11 files changed

+185
-16
lines changed

.azure-pipelines/ci.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ jobs:
5757
variables:
5858
testRunTitle: '$(build.sourceBranchName)-linux'
5959
testRunPlatform: linux
60-
openssl_version: 1.1.1t
60+
openssl_version: 1.1.1u
6161

6262
steps:
6363
- template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
8383
variables:
8484
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
8585
testRunPlatform: linux-coverage
86-
openssl_version: 1.1.1t
86+
openssl_version: 1.1.1u
8787

8888
steps:
8989
- template: ./posix-steps.yml

.azure-pipelines/pr.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ jobs:
5757
variables:
5858
testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
5959
testRunPlatform: linux
60-
openssl_version: 1.1.1t
60+
openssl_version: 1.1.1u
6161

6262
steps:
6363
- template: ./posix-steps.yml
@@ -83,7 +83,7 @@ jobs:
8383
variables:
8484
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
8585
testRunPlatform: linux-coverage
86-
openssl_version: 1.1.1t
86+
openssl_version: 1.1.1u
8787

8888
steps:
8989
- template: ./posix-steps.yml

.github/workflows/build.yml

+3-3
Original file line numberDiff line numberDiff line change
@@ -250,7 +250,7 @@ jobs:
250250
needs: check_source
251251
if: needs.check_source.outputs.run_tests == 'true'
252252
env:
253-
OPENSSL_VER: 1.1.1t
253+
OPENSSL_VER: 1.1.1u
254254
PYTHONSTRICTEXTENSIONBUILD: 1
255255
steps:
256256
- uses: actions/checkout@v3
@@ -319,7 +319,7 @@ jobs:
319319
strategy:
320320
fail-fast: false
321321
matrix:
322-
openssl_ver: [1.1.1t, 3.0.8, 3.1.0-beta1]
322+
openssl_ver: [1.1.1u, 3.0.9, 3.1.1]
323323
env:
324324
OPENSSL_VER: ${{ matrix.openssl_ver }}
325325
MULTISSL_DIR: ${{ github.workspace }}/multissl
@@ -371,7 +371,7 @@ jobs:
371371
needs: check_source
372372
if: needs.check_source.outputs.run_tests == 'true'
373373
env:
374-
OPENSSL_VER: 1.1.1t
374+
OPENSSL_VER: 1.1.1u
375375
PYTHONSTRICTEXTENSIONBUILD: 1
376376
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
377377
steps:

Misc/NEWS.d/next/Security/2023-06-01-03-24-58.gh-issue-103142.GLWDMX.rst

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u
2+
to address several CVEs.

Modules/_ssl_data_111.h

+16-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:36:21.493286 */
1+
/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2023-06-01T02:58:04.081473 */
22
static struct py_ssl_library_code library_codes[] = {
33
#ifdef ERR_LIB_ASN1
44
{"ASN1", ERR_LIB_ASN1},
@@ -1375,6 +1375,11 @@ static struct py_ssl_error_code error_codes[] = {
13751375
#else
13761376
{"UNSUPPORTED_COMPRESSION_ALGORITHM", 46, 151},
13771377
#endif
1378+
#ifdef CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM
1379+
{"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM},
1380+
#else
1381+
{"UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM", 46, 194},
1382+
#endif
13781383
#ifdef CMS_R_UNSUPPORTED_CONTENT_TYPE
13791384
{"UNSUPPORTED_CONTENT_TYPE", ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_TYPE},
13801385
#else
@@ -4860,6 +4865,11 @@ static struct py_ssl_error_code error_codes[] = {
48604865
#else
48614866
{"MISSING_PARAMETERS", 20, 290},
48624867
#endif
4868+
#ifdef SSL_R_MISSING_PSK_KEX_MODES_EXTENSION
4869+
{"MISSING_PSK_KEX_MODES_EXTENSION", ERR_LIB_SSL, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION},
4870+
#else
4871+
{"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
4872+
#endif
48634873
#ifdef SSL_R_MISSING_RSA_CERTIFICATE
48644874
{"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
48654875
#else
@@ -5065,6 +5075,11 @@ static struct py_ssl_error_code error_codes[] = {
50655075
#else
50665076
{"NULL_SSL_METHOD_PASSED", 20, 196},
50675077
#endif
5078+
#ifdef SSL_R_OCSP_CALLBACK_FAILURE
5079+
{"OCSP_CALLBACK_FAILURE", ERR_LIB_SSL, SSL_R_OCSP_CALLBACK_FAILURE},
5080+
#else
5081+
{"OCSP_CALLBACK_FAILURE", 20, 294},
5082+
#endif
50685083
#ifdef SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
50695084
{"OLD_SESSION_CIPHER_NOT_RETURNED", ERR_LIB_SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED},
50705085
#else

0 commit comments

Comments
 (0)