Updated: openssl-0.9.7a-3, openssl-devel-0.9.7a-3

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Mar 19 21:05:00 GMT 2003

I've updated the version of OpenSSL to 0.9.7a-3.  This also includes the
openssl-devel package.

This is a security update.  It fixes another vulnerability of the RSA

The official security advisory follows:

  Klima-Pokorny-Rosa attack on RSA in SSL/TLS

  Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
  have come up with an extension of the "Bleichenbacher attack" on RSA
  with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.  Their
  attack requires the attacker to open millions of SSL/TLS connections
  to the server under attack; the server's behaviour when faced with
  specially made-up RSA ciphertexts can reveal information that in
  effect allows the attacker to perform a single RSA private key
  operation on a ciphertext of its choice using the server's RSA key.
  Note that the server's RSA key is not compromised in this attack.

  This problem affects all applications using the OpenSSL SSL/TLS library.
  OpenSSL releases up to 0.9.6i and 0.9.7a are vulnerable. The enclosed
  patch modifies SSL/TLS server behaviour to avoid the vulnerability.

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Once you've downloaded setup.exe, run it and select "Net"
("Devel" for the openssl-devel package) and then click on the appropriate
field until the above announced version number appears if it is not
displayed already.

If you have questions or comments, please send them to the Cygwin
mailing list at: cygwin@cygwin.com .  I would appreciate it if you would
use this mailing list rather than emailing me directly.  This includes
ideas and comments about the setup utility or Cygwin in general.

If you want to make a point or ask a question, the Cygwin mailing list
is the appropriate place.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:


If you need more information on unsubscribing, start reading here:


Please read *all* of the information on unsubscribing that is available
starting at this URL.

I implore you to READ this information before sending email about how
you "tried everything" to unsubscribe.  In 100% of the cases where
people were unable to unsubscribe, the problem was that they hadn't
actually read and comprehended the unsubscribe instructions.

If you need to unsubscribe from cygwin-announce or any other mailing
list, reading the instructions at the above URL is guaranteed to
provide you with the info that you need.

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

More information about the Cygwin-announce mailing list