This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[ANNOUNCEMENT] Updated: openssl-1.0.1a-1, openssl-devel-1.0.1-1, libopenssl100-1.0.1-1, libopenssl098-0.9.8v-1

I've updated the version of OpenSSL to 1.0.1a-1.  I also updated
the 0.9.8 libs to 0.9.8v-1.

This is an upstream security release.  The Cygwin release is build from
the vanilla sources.

Here's the official security advisory:

OpenSSL Security Advisory [19 Apr 2012]

ASN1 BIO vulnerability (CVE-2012-2110)

A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.

Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.

Applications using the memory based ASN1 functions (d2i_X509, d2i_PKCS12 etc)
are not affected. In particular the SSL/TLS code of OpenSSL is *not* affected.

Applications only using the PEM routines are not affected.

S/MIME or CMS applications using the built in MIME parser SMIME_read_PKCS7 or
SMIME_read_CMS *are* affected.

The OpenSSL command line utility is also affected if used to process untrusted
data in DER format.

Note: although an application using the SSL/TLS portions of OpenSSL is not
automatically affected it might still call a function such as d2i_X509_bio on
untrusted data and be vulnerable.

Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and
to Adam Langley <> for fixing it.

Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.


URL for this Security Advisory:

To update your installation, click on the "Install Cygwin now" link on
the web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

If you need more information on unsubscribing, start reading here:

Please read *all* of the information on unsubscribing that is available
starting at the above URL.

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]