Updated: openssl096-0.9.6i-2

Corinna Vinschen corinna-cygwin@cygwin.com
Tue Mar 18 21:27:00 GMT 2003


This package contains the runtime libraries of OpenSSL version 0.9.6i
which are needed to run applications still linked against 0.9.6.

This is a security update.  It fixes a vulnerability of the RSA encryption.

The official security advisory follows:

  OpenSSL v0.9.7a and 0.9.6i vulnerability
  ----------------------------------------

  Researchers have discovered a timing attack on RSA keys, to which
  OpenSSL is generally vulnerable, unless RSA blinding has been turned
  on.

  Typically, it will not have been, because it is not easily possible to
  do so when using OpenSSL to provide SSL or TLS.

  The enclosed patch switches blinding on by default. Applications that
  wish to can remove the blinding with RSA_blinding_off(), but this is
  not generally advised. It is also possible to disable it completely by
  defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.

  The performance impact of blinding appears to be small (a few
  percent).

  This problem affects many applications using OpenSSL, in particular,
  almost all SSL-enabled Apaches. You should rebuild and reinstall
  OpenSSL, and all affected applications.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2003-0147 to this issue.

  We strongly advise upgrading OpenSSL in all cases, as a precaution.


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Once you've downloaded setup.exe, run it and select "Net"
("Devel" for the openssl-devel package) and then click on the appropriate
field until the above announced version number appears if it is not
displayed already.

If you have questions or comments, please send them to the Cygwin
mailing list at: cygwin@cygwin.com .  I would appreciate it if you would
use this mailing list rather than emailing me directly.  This includes
ideas and comments about the setup utility or Cygwin in general.

If you want to make a point or ask a question, the Cygwin mailing list
is the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.

I implore you to READ this information before sending email about how
you "tried everything" to unsubscribe.  In 100% of the cases where
people were unable to unsubscribe, the problem was that they hadn't
actually read and comprehended the unsubscribe instructions.

If you need to unsubscribe from cygwin-announce or any other mailing
list, reading the instructions at the above URL is guaranteed to
provide you with the info that you need.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.



More information about the Cygwin-announce mailing list