This is the mail archive of the
cygwin-announce
mailing list for the Cygwin project.
Updated: openssl-1.0.1a-1, openssl-devel-1.0.1-1,libopenssl100-1.0.1-1, libopenssl098-0.9.8v-1
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin-announce at cygwin dot com
- Date: Fri, 20 Apr 2012 10:56:44 +0200
- Subject: Updated: openssl-1.0.1a-1, openssl-devel-1.0.1-1,libopenssl100-1.0.1-1, libopenssl098-0.9.8v-1
- Reply-to: The Cygwin Mailing List <cygwin at cygwin dot com>
I've updated the version of OpenSSL to 1.0.1a-1. I also updated
the 0.9.8 libs to 0.9.8v-1.
This is an upstream security release. The Cygwin release is build from
the vanilla sources.
Here's the official security advisory:
------------------------------------------------------------------------
OpenSSL Security Advisory [19 Apr 2012]
=======================================
ASN1 BIO vulnerability (CVE-2012-2110)
=======================================
A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.
Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.
Applications using the memory based ASN1 functions (d2i_X509, d2i_PKCS12 etc)
are not affected. In particular the SSL/TLS code of OpenSSL is *not* affected.
Applications only using the PEM routines are not affected.
S/MIME or CMS applications using the built in MIME parser SMIME_read_PKCS7 or
SMIME_read_CMS *are* affected.
The OpenSSL command line utility is also affected if used to process untrusted
data in DER format.
Note: although an application using the SSL/TLS portions of OpenSSL is not
automatically affected it might still call a function such as d2i_X509_bio on
untrusted data and be vulnerable.
Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and
to Adam Langley <agl@chromium.org> for fixing it.
Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120419.txt
------------------------------------------------------------------------
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Then, run setup and answer all of the questions.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com
If you need more information on unsubscribing, start reading here:
http://sourceware.org/lists.html#unsubscribe-simple
Please read *all* of the information on unsubscribing that is available
starting at the above URL.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat