[3.9] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101751)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org>
2025-12-08 06:10:17 +00:00 · 2023-03-07 23:01:22 +00:00 · 2023-03-07 23:01:22 +00:00 · bf99e19b99
commit bf99e19b99
parent c25b484e82
9 changed files with 37 additions and 26 deletions
--- a/.azure-pipelines/ci.yml
+++ b/.azure-pipelines/ci.yml
@ -57,7 +57,7 @@ jobs:
  variables:
    testRunTitle: '$(build.sourceBranchName)-linux'
    testRunPlatform: linux
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t

  steps:
  - template: ./posix-steps.yml
@ -83,7 +83,7 @@ jobs:
  variables:
    testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
    testRunPlatform: linux-coverage
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t

  steps:
  - template: ./posix-steps.yml
--- a/.azure-pipelines/pr.yml
+++ b/.azure-pipelines/pr.yml
@ -57,7 +57,7 @@ jobs:
  variables:
    testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
    testRunPlatform: linux
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t

  steps:
  - template: ./posix-steps.yml
@ -83,7 +83,7 @@ jobs:
  variables:
    testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
    testRunPlatform: linux-coverage
-    openssl_version: 1.1.1n
+    openssl_version: 1.1.1t

  steps:
  - template: ./posix-steps.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -165,7 +165,7 @@ jobs:
    needs: check_source
    if: needs.check_source.outputs.run_tests == 'true'
    env:
-      OPENSSL_VER: 1.1.1n
+      OPENSSL_VER: 1.1.1t
      PYTHONSTRICTEXTENSIONBUILD: 1
    steps:
    - uses: actions/checkout@v3
@ -207,7 +207,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        openssl_ver: [1.0.2u, 1.1.0l, 1.1.1n, 3.0.2]
+        openssl_ver: [1.0.2u, 1.1.0l, 1.1.1t, 3.0.8, 3.1.0-beta1]
    env:
      OPENSSL_VER: ${{ matrix.openssl_ver }}
      MULTISSL_DIR: ${{ github.workspace }}/multissl
--- a/Mac/BuildScript/build-installer.py
+++ b/Mac/BuildScript/build-installer.py
@ -244,9 +244,9 @@ def library_recipes():

    result.extend([
          dict(
-              name="OpenSSL 1.1.1n",
-              url="https://www.openssl.org/source/openssl-1.1.1n.tar.gz",
-              checksum='2aad5635f9bb338bc2c6b7d19cbc9676',
+              name="OpenSSL 1.1.1t",
+              url="https://www.openssl.org/source/openssl-1.1.1t.tar.gz",
+              checksum='1cfee919e0eac6be62c88c5ae8bcd91e',
              buildrecipe=build_universal_openssl,
              configure=None,
              install=None,
--- a/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst
+++ b/Misc/NEWS.d/next/Security/2023-02-08-22-03-04.gh-issue-101727.9P5eZz.rst
@ -0,0 +1,4 @@
+Updated the OpenSSL version used in Windows and macOS binary release builds
+to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per
+`the OpenSSL 2023-02-07 security advisory
+<https://www.openssl.org/news/secadv/20230207.txt>`_.
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@ -53,7 +53,7 @@ echo.Fetching external libraries...
 set libraries=
 set libraries=%libraries%                                       bzip2-1.0.8
 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries%  libffi-3.3.0
-if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1s
+if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1t
 set libraries=%libraries%                                       sqlite-3.37.2.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.12.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.12.0
@ -77,7 +77,7 @@ echo.Fetching external binaries...

 set binaries=
 if NOT "%IncludeLibffi%"=="false"  set binaries=%binaries% libffi-3.3.0
-if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1s
+if NOT "%IncludeSSL%"=="false"     set binaries=%binaries% openssl-bin-1.1.1t
 if NOT "%IncludeTkinter%"=="false" set binaries=%binaries% tcltk-8.6.12.0
 if NOT "%IncludeSSLSrc%"=="false"  set binaries=%binaries% nasm-2.11.06

--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@ -57,18 +57,25 @@
    <ExternalsDir>$(EXTERNALS_DIR)</ExternalsDir>
    <ExternalsDir Condition="$(ExternalsDir) == ''">$([System.IO.Path]::GetFullPath(`$(PySourcePath)externals`))</ExternalsDir>
    <ExternalsDir Condition="!HasTrailingSlash($(ExternalsDir))">$(ExternalsDir)\</ExternalsDir>
-    <sqlite3Dir>$(ExternalsDir)sqlite-3.37.2.0\</sqlite3Dir>
-    <bz2Dir>$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
-    <lzmaDir>$(ExternalsDir)xz-5.2.5\</lzmaDir>
-    <libffiDir>$(ExternalsDir)libffi-3.3.0\</libffiDir>
-    <libffiOutDir>$(ExternalsDir)libffi-3.3.0\$(ArchName)\</libffiOutDir>
-    <libffiIncludeDir>$(libffiOutDir)include</libffiIncludeDir>
-    <opensslDir>$(ExternalsDir)openssl-1.1.1s\</opensslDir>
-    <opensslOutDir>$(ExternalsDir)openssl-bin-1.1.1s\$(ArchName)\</opensslOutDir>
-    <opensslIncludeDir>$(opensslOutDir)include</opensslIncludeDir>
-    <nasmDir>$(ExternalsDir)\nasm-2.11.06\</nasmDir>
-    <zlibDir>$(ExternalsDir)\zlib-1.2.12\</zlibDir>
-    
+  </PropertyGroup>
+
+  <Import Project="$(ExternalProps)" Condition="$(ExternalProps) != '' and Exists('$(ExternalProps)')" />
+
+  <PropertyGroup>
+    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.37.2.0\</sqlite3Dir>
+    <bz2Dir Condition="$(bz2Dir) == ''">$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
+    <lzmaDir Condition="$(lzmaDir) == ''">$(ExternalsDir)xz-5.2.5\</lzmaDir>
+    <libffiDir Condition="$(libffiDir) == ''">$(ExternalsDir)libffi-3.3.0\</libffiDir>
+    <libffiOutDir Condition="$(libffiOutDir) == ''">$(libffiDir)$(ArchName)\</libffiOutDir>
+    <libffiIncludeDir Condition="$(libffiIncludeDir) == ''">$(libffiOutDir)include</libffiIncludeDir>
+    <opensslDir Condition="$(opensslDir) == ''">$(ExternalsDir)openssl-1.1.1t\</opensslDir>
+    <opensslOutDir Condition="$(opensslOutDir) == ''">$(ExternalsDir)openssl-bin-1.1.1t\$(ArchName)\</opensslOutDir>
+    <opensslIncludeDir Condition="$(opensslIncludeDir) == ''">$(opensslOutDir)include</opensslIncludeDir>
+    <nasmDir Condition="$(nasmDir) == ''">$(ExternalsDir)\nasm-2.11.06\</nasmDir>
+    <zlibDir Condition="$(zlibDir) == ''">$(ExternalsDir)\zlib-1.2.12\</zlibDir>
+  </PropertyGroup>
+
+  <PropertyGroup>
    <!-- Suffix for all binaries when building for debug -->
    <PyDebugExt Condition="'$(PyDebugExt)' == '' and $(Configuration) == 'Debug'">_d</PyDebugExt>
    
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@ -164,7 +164,7 @@ _lzma
    Homepage:
        https://tukaani.org/xz/
 _ssl
-    Python wrapper for version 1.1.1k of the OpenSSL secure sockets
+    Python wrapper for version 1.1.1t of the OpenSSL secure sockets
    library, which is downloaded from our binaries repository at
    https://github.com/python/cpython-bin-deps.

--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@ -49,8 +49,8 @@
 ]

 OPENSSL_RECENT_VERSIONS = [
-    "1.1.1n",
-    "3.0.2"
+    "1.1.1t",
+    "3.0.8"
 ]

 LIBRESSL_OLD_VERSIONS = [