OpenSSL v3.4.1 is out and contains some security patches (see https://github.com/openssl/openssl/releases/tag/openssl-3.4.1). There is one high vulnerabilty (CVE-2024-12797) that was fixed.

However, what I'm interested in, are the fixes that allow me to continue working on #128391 (see openssl/openssl#26388). Note that this high vulnerability does not affect the Windows build as the latter is still using OpenSSL 3.0.15 which is only affected by the following low vulnerabilities:

• CVE-2024-13176
• CVE-2024-9143

Those low vulnerabilities affect OpenSSL 1.1.1+ and 3.x versions that we currently use and were fixed in the February 2025 release.

Note: I don't think Python is directly affected by the low vulnerabilies and I just want the fixes that were included in those releases for my own work. Since the high vulnerability only affects 3.2+, Windows builds should not be affected.

cc @gpshead

Plan:

• Update https://github.com/python/cpython-source-deps to pull OpenSSL 3.0.16 (cc @zooba)
• Update macOS and Windows builds to use OpenSSL 3.0.16.
• Update CI workflows to test against [3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.1]
• Update OpenSSL data headers

Linked PRs

• gh-131423: Update to OpenSSL 3.0.16. #131839
• [3.13] gh-131423: Update to OpenSSL 3.0.16. (GH-131839) #131848
• [3.12] gh-131423: Update to OpenSSL 3.0.16. (GH-131839) #131849
• gh-131423: Update OpenSSL build tag to 3.0.16.2 to fix ARM64 crash #132051
• [3.13] gh-131423: Update OpenSSL build tag to 3.0.16.2 to fix ARM64 crash (GH-132051) #132052
• [3.12] gh-131423: Update OpenSSL build tag to 3.0.16.2 to fix ARM64 crash. (GH-132051) #132053
• gh-131423: Update macOS installer to use OpenSSL 3.0.16. #132189
• [3.13] gh-131423: Update macOS installer to use OpenSSL 3.0.16. (GH-132189) #132196
• [3.12] gh-131423: Update macOS installer to use OpenSSL 3.0.16. (GH-132189) #132197
• gh-131423: Update OpenSSL data to 3.4.1 on Linux #131618
• gh-131423: update note in Tools/ssl/make_ssl_data.py #133077