Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump MSI embedded Python to 3.10.3 or 3.9.11 to fix CVE-2022-0778 #21734

Closed
jiasli opened this issue Mar 22, 2022 · 1 comment · Fixed by #21746
Closed

Bump MSI embedded Python to 3.10.3 or 3.9.11 to fix CVE-2022-0778 #21734

jiasli opened this issue Mar 22, 2022 · 1 comment · Fixed by #21746
Assignees
@jiasli
Labels
Core CLI core infrastructure
Milestone
Backlog

Comments

@jiasli
Copy link
Member

jiasli commented Mar 22, 2022
edited
Loading

We have supported Python 3.10 for a while (#19857), but the MSI still bundles Python 3.8.9.

Python 3.8.13 fixed CVE-2022-0778 but only in source code, not binary installers:

https://www.python.org/downloads/release/python-3813/

CVE-2022-0778: OpenSSL upgraded from 1.1.1l to 1.1.1n in macOS and Windows installers (BPO-47024)

Python 3.8 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.8.10 was the last full bugfix release of Python 3.8 with binary installers.

Therefore, we need to bump MSI embedded Python to 3.10.3 or 3.9.11 which has libssl 1.1.1n:

image

Perhaps this can even be done together with

See
@jiasli jiasli changed the title Bump MSI embedded Python to 3.10 Bump MSI embedded Python to 3.10.3 or 3.9.11 Mar 22, 2022
@jiasli jiasli changed the title Bump MSI embedded Python to 3.10.3 or 3.9.11 Bump MSI embedded Python to 3.10.3 or 3.9.11 to solve CVE-2022-0778 Mar 22, 2022
@jiasli jiasli changed the title Bump MSI embedded Python to 3.10.3 or 3.9.11 to solve CVE-2022-0778 Bump MSI embedded Python to 3.10.3 or 3.9.11 to fix CVE-2022-0778 Mar 22, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Mar 22, 2022

Bump MSI embedded Python

@yonzhan yonzhan added the Core CLI core infrastructure label Mar 22, 2022
@yonzhan yonzhan added this to the Backlog milestone Mar 22, 2022
@jiasli jiasli mentioned this issue Mar 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Core CLI core infrastructure
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

[Packaging] Bump MSI embedded Python to 3.10.3 jiasli/azure-cli
2 participants
@jiasli @yonzhan