Updated: openssl-1.0.1c-1, libopenssl098-0.9.8x-1

Corinna Vinschen corinna-cygwin@cygwin.com
Fri May 11 12:01:00 GMT 2012

I've updated the version of OpenSSL to 1.0.1c-1.  I also updated
the 0.9.8 libs to 0.9.8x-1.

This is an upstream security release.  The Cygwin release is build from
the vanilla sources.

Here's the official security advisory:

OpenSSL Security Advisory [10 May 2012]

Invalid TLS/DTLS record attack (CVE-2012-2333)

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and

DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing
as a service testing platform.

The fix was developed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x


URL for this Security Advisory:

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:


If you need more information on unsubscribing, start reading here:


Please read *all* of the information on unsubscribing that is available
starting at the above URL.

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

More information about the Cygwin-announce mailing list