Werk #17999: Update Python runtime for Windows Agent
| Component | Checks & agents | ||
| Title | Update Python runtime for Windows Agent | ||
| Date | Oct 23, 2025 | ||
| Level | Trivial Change | ||
| Class | Security Fix | ||
| Compatibility | Incompatible - Manual interaction might be required | ||
| Checkmk versions & editions |
|
The Python runtime environment used by the Checkmk Windows Agent has been proactively updated from version 3.12 to 3.13.
This update ensures the Windows agent is running on a fully supported Python branch, addressing potential long-term maintenance and security risks associated with upstream dependencies no longer receiving updates.
Vulnerability Management:
To aid automated scanning we assign a CVSS score of 0.0 None (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N).
Caution:
This change may break your agent updater communication. Please ensure compatibility before updating.
Details:
The Windows agent updater runs under the mentioned Python runtime environment.
Python 3.13 introduced a breaking change in TLS certificate handling, see https://docs.python.org/3/whatsnew/3.13.html#ssl .
This adds the non-standard VERIFY_X509_STRICT flag to the TLS context used for HTTPS communication.
The HTTPS setup of the Checkmk server is not provided by us, but by you. Your certificate chain, and by that the agent updater HTTPS communication, may be non-conformant to the stricter verification.
However, standard TLS software, like cURL and OpenSSL don't enforce this flag, so the incompatibility may come surprisingly.
We did not intent to introduce this breaking change during the lifecycle of the current stable release, so we roll back the stricter verification with Werk #18920.
When in doubt, please skip any patch release that doesn't contain the mentioned Werk.