libcrypto-1_1.dll version 1.1.1q with vulnerabilites

[nziegler]

Our company security department has flagged the OpenSSL version in the folder of px 0.84 as vulnerability issue and recommends to upgrade to least 1.1.1w. The current dll is 1.1.1q.

Would it be possible to update the library?

There are several issues with medium to high severity after version 1.1.1q https://www.openssl.org/news/vulnerabilities-1.1.1.html

[genotrance]

I presume you are talking about the Windows ZIP. Considering it is made using Nuitka, it simply pulls in the OpenSSL versions in the Python distro I was using at the time of creation. For the near term, you could simply replace the file in the folder with a newer version and it should work. A slightly better alternative would be to use the wheels with an existing version of Python which is kept up to date. In that case, we will only be stuck with an older libcurl binary that is bundled with Px.

Meanwhile, I'm working on a new release of Px which hopes to leverage the embeddable version of Python instead of building Nuitka binaries and wrestling with virus scanners. Hopefully, we have fewer issues of that kind but will still have issues with those dlls going out of date over time.

[genotrance]

This is fixed in v0.9.0 still in development - see branch.

Px binaries for Windows will now be built using the Python Embedded binary instead of Nuitka. See tools.py embed() if curious. Will post binaries after development and test is complete.

[nziegler]

I replaced the dll with a newer version as you said, without problems. I will check the other setup options you have described in the readme. Thanks!

[genotrance]

v0.9.0 has been released.