PTVS icon indicating copy to clipboard operation
PTVS copied to clipboard

Published 20 hours ago verified publisher icon microsoft

openssl.exe has security vulnerability

Open vsfeedback opened this issue 3 years ago • 1 comments

This issue has been moved from a ticket on Developer Community.

Our corporate security PC has scanned my PC with the latest version of VC2019 on and reported that C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\Python\Miniconda\Miniconda3-x64\Library\bin\openssl.exe has a security vulnerability. I checked and it is version 1.1.1c. They say it should be upgraded to at lease 1.1.1l. Can you please arrange for this to be upgraded in a release?

Original Comments

(no comments)

Original Solutions

(no solutions)

vsfeedback avatar Oct 01 '21 16:10 vsfeedback

I will be looking at this along with https://github.com/microsoft/PTVS/issues/6758 at the same time. Sounds like we need to update miniconda in VS 16.11 to a version with openssl 1.1.1L. Miniconda has been removed from VS 2022 so this is only a VS2019 issue.

AdamYoblick avatar Oct 26 '21 18:10 AdamYoblick

Graham's released statement says we're not fixing old versions of the Python Interpreter, the users need to move up to a more recent version of VS. That being said, the MiniConda component isn't the same as the CPython interpreter, and this is a real security vulnerability, so we might have to fix it. Follow up with Graham for guidance.

AdamYoblick avatar Feb 02 '23 22:02 AdamYoblick

Going to close this out as the VS2019 bundled miniconda is labeled as out-of-support so we are not providing full support on security updates.

StellaHuang95 avatar Feb 03 '23 00:02 StellaHuang95