In the newest released python 3.11.5, libcrypto.dll is using the old version 3.0.9 of openssl. There are still 3 vulnerabilities(CVE-2023-2975/CVE-2023-3446/CVE-2023-3817) in OpenSSL 3.0.9. If I use the python 3.11.5 in my software, whether it will be influenced by the three openssl vulnerabilities?
If it is influenced, how could I change the openssl in libcrypto.dll to 3.0.10?
1 Like
We don’t believe normal usage of the ssl module to be affected by those vulnerabilities, which are all ranked as “low severity” by the OpenSSL team. Python 3.11.6 will use OpenSSL 3.0.10 when it is released next week.
Binaries for OpenSSL 3.0.10 are available at GitHub - python/cpython-bin-deps at openssl-bin-3.0.10. You should be able to copy the necessaries into your installation if you must, at your own risk.