Updated: openssl-0.9.7d-1, openssl-devel-0.9.7d-1

Corinna Vinschen corinna-cygwin@cygwin.com
Thu Mar 18 08:34:00 GMT 2004


I've updated the version of OpenSSL to 0.9.7d-1.  This also includes the
openssl-devel package.

This is a security update.

-----------------------------------------------------------------------
Note:  I've removed the OpenSSL-0.9.6 package now from the Cygwin net
distribution.  None of the distro packages were using it anymore.
-----------------------------------------------------------------------

Official security advisory:

=======================================================================
OpenSSL Security Advisory [17 March 2004]

Updated versions of OpenSSL are now available which correct two
security issues:


1. Null-pointer assignment during SSL handshake
===============================================    

Testing performed by the OpenSSL group using the Codenomicon TLS Test
Tool uncovered a null-pointer assignment in the
do_change_cipher_spec() function.  A remote attacker could perform a
carefully crafted SSL/TLS handshake against a server that used the
OpenSSL library in such a way as to cause OpenSSL to crash.  Depending
on the application this could lead to a denial of service.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0079 to this issue.

All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from
0.9.7a to 0.9.7c inclusive are affected by this issue.  Any
application that makes use of OpenSSL's SSL/TLS library may be
affected.  Please contact your application vendor for details.


2. Out-of-bounds read affects Kerberos ciphersuites
===================================================

Stephen Henson discovered a flaw in SSL/TLS handshaking code when
using Kerberos ciphersuites.  A remote attacker could perform a
carefully crafted SSL/TLS handshake against a server configured to use
Kerberos ciphersuites in such a way as to cause OpenSSL to crash.
Most applications have no ability to use Kerberos ciphersuites and
will therefore be unaffected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0112 to this issue.

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this
issue.  Any application that makes use of OpenSSL's SSL/TLS library
may be affected.  Please contact your application vendor for details.

Recommendations
- ---------------

Upgrade to OpenSSL 0.9.7d or 0.9.6m.  Recompile any OpenSSL applications
statically linked to OpenSSL libraries.

OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
mirrors under http://www.openssl.org/source/mirror.html):

    ftp://ftp.openssl.org/source/

The distribution file names are:

    o openssl-0.9.7d.tar.gz
      MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5

    o openssl-0.9.6m.tar.gz [normal]
      MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
    o openssl-engine-0.9.6m.tar.gz [engine]   
      MD5 checksum: 4c39d2524bd466180f9077f8efddac8c

The checksums were calculated using the following command: 

    openssl md5 openssl-0.9*.tar.gz

Credits
- -------

Patches for these issues were created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.  The OpenSSL team would
like to thank Codenomicon for supplying the TLS Test Tool which was
used to discover these vulnerabilities, and Joe Orton of Red Hat for  
performing the majority of the testing.

References
- ----------

http://www.codenomicon.com/testtools/tls/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20040317.txt
=======================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Once you've downloaded setup.exe, run it and select "Net"
("Devel" for the openssl-devel package) and then click on the appropriate
field until the above announced version number appears if it is not
displayed already.

If you have questions or comments, please send them to the Cygwin
mailing list at: cygwin@cygwin.com .  I would appreciate it if you would
use this mailing list rather than emailing me directly.  This includes
ideas and comments about the setup utility or Cygwin in general.

If you want to make a point or ask a question, the Cygwin mailing list
is the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.

I implore you to READ this information before sending email about how
you "tried everything" to unsubscribe.  In 100% of the cases where
people were unable to unsubscribe, the problem was that they hadn't
actually read and comprehended the unsubscribe instructions.

If you need to unsubscribe from cygwin-announce or any other mailing
list, reading the instructions at the above URL is guaranteed to
provide you with the info that you need.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.



More information about the Cygwin-announce mailing list