From 915f5e11243e448657a5be2ab24956a502c28552 Mon Sep 17 00:00:00 2001 From: Carlos Date: Wed, 11 Oct 2023 16:14:13 +0100 Subject: [PATCH] Updated the version Python to 3.9.18 as needed for OpenSSL Windows update (#20058) * Updated the version Python to 3.9.18 as needed for OpenSSL Windows update * Update releasenotes/notes/update-python-openssl-on-windows-to-1.1.1w-0a00d9c8a0cfde12.yaml Co-authored-by: Bryce Eadie * Update releasenotes/notes/update-python-openssl-on-windows-to-1.1.1w-0a00d9c8a0cfde12.yaml Co-authored-by: Bryce Eadie --------- Co-authored-by: Bryce Eadie --- omnibus/config/software/python3.rb | 10 +++++----- ...ssl-on-windows-to-1.1.1w-0a00d9c8a0cfde12.yaml | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/update-python-openssl-on-windows-to-1.1.1w-0a00d9c8a0cfde12.yaml diff --git a/omnibus/config/software/python3.rb b/omnibus/config/software/python3.rb index 450cec8bfeeb2..052f78ae4f560 100644 --- a/omnibus/config/software/python3.rb +++ b/omnibus/config/software/python3.rb @@ -1,7 +1,7 @@ name "python3" if ohai["platform"] != "windows" - default_version "3.9.17" + default_version "3.9.18" dependency "libxcrypt" dependency "libffi" @@ -15,7 +15,7 @@ dependency "libyaml" source :url => "https://python.org/ftp/python/#{version}/Python-#{version}.tgz", - :sha256 => "8ead58f669f7e19d777c3556b62fae29a81d7f06a7122ff9bc57f7dd82d7e014" + :sha256 => "504ce8cfd59addc04c22f590377c6be454ae7406cb1ebf6f5a350149225a9354" relative_path "Python-#{version}" @@ -58,19 +58,19 @@ end else - default_version "3.9.17-26e6052" + default_version "3.9.18-38f3b72" dependency "vc_redist_14" if windows_arch_i386? dependency "vc_ucrt_redist" source :url => "https://dd-agent-omnibus.s3.amazonaws.com/python-windows-#{version}-x86.zip", - :sha256 => "007FC4DB517599FB4DFF4D68FFA7C6B3BE9674F584AA513600A2539AF7CDD07B".downcase + :sha256 => "DC7069727454BC8FEED064FBD797076B7EAD93CAC1A482CE794BAB08214C42F3".downcase else # note that startring with 3.7.3 on Windows, the zip should be created without the built-in pip source :url => "https://dd-agent-omnibus.s3.amazonaws.com/python-windows-#{version}-x64.zip", - :sha256 => "E6E38E5A6B768E9EF6E2F3F31448873657251B32B6CEB99B99D76BF47279A36D".downcase + :sha256 => "6DA7EDD4D42D5A223D14BF80ABBBEA80F4F6D6939CD0AA769CF1BCD24CB54A1F".downcase end vcrt140_root = "#{Omnibus::Config.source_dir()}/vc_redist_140/expanded" diff --git a/releasenotes/notes/update-python-openssl-on-windows-to-1.1.1w-0a00d9c8a0cfde12.yaml b/releasenotes/notes/update-python-openssl-on-windows-to-1.1.1w-0a00d9c8a0cfde12.yaml new file mode 100644 index 0000000000000..a5d0093ce6410 --- /dev/null +++ b/releasenotes/notes/update-python-openssl-on-windows-to-1.1.1w-0a00d9c8a0cfde12.yaml @@ -0,0 +1,15 @@ +# Each section from every release note are combined when the +# CHANGELOG.rst is rendered. So the text needs to be worded so that +# it does not depend on any information only available in another +# section. This may mean repeating some details, but each section +# must be readable independently of the other. +# +# Each section note must be formatted as reStructuredText. +--- +upgrade: + - | + Upgraded Python 3.9 to Python 3.9.18 + +security: + - | + Updated the version of OpenSSL used by Python on Windows to `1.1.1w`; addressed CVE-2023-4807, CVE-2023-3817, and CVE-2023-3446