| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| q=dns; s=default; b=St/zeVpa9osp4+O0mjkt+VaEKR3qcRw7z6OfmQqWagH | |
| lIs48Bj8lFoLCTU7Mvu460WWPJlGfA8EP1SAISElMFG0jq7D31fjdiQYvwDWprK/ | |
| xw5Yy1cCwRWa1seRXLt7oq3dNzWYKPmQeiL15jmwqLDlOhnOR4UyG8dYCxGxVNms | |
| = | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type:content-transfer-encoding; | |
| s=default; bh=2n0u2TwmIV6uaAOz8nSp6ly7x+s=; b=ll36MAC7Ka+aixpvR | |
| Flf0gyxRnzH/YEgv8VkjyO0zh8QbRgvK7nHR5V8f9urAJOBefiXtAwmLu6oa6nfu | |
| a7futZEZArwQOkQfxeWra2D0qqnijA8QoCKvEa9oBYxhDiFF0awIwKBb4EMh4zUF | |
| 1LP+KHdPjnSwD1ahRuUuuqoE4w= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-2.6 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 |
| X-HELO: | mail-ie0-f180.google.com |
| X-Received: | by 10.50.119.132 with SMTP id ku4mr28062746igb.35.1399788323870; Sat, 10 May 2014 23:05:23 -0700 (PDT) |
| Message-ID: | <536F1320.3010408@users.sourceforge.net> |
| Date: | Sun, 11 May 2014 01:05:20 -0500 |
| From: | "Yaakov (Cygwin/X)" <yselkowitz AT users DOT sourceforge DOT net> |
| User-Agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Cygwin64 v1.7.29: ruby 1.9.3p484 still vulnerable to Heartbleed bug |
| References: | <536E5F1C DOT 8030705 AT liturgica DOT com> |
| In-Reply-To: | <536E5F1C.8030705@liturgica.com> |
On 2014-05-10 12:17, Robert Miesen wrote:
> I recently installed the ruby package via Cygwin64 and, after running a
> simple script, discovered that the version of ruby installed by Cygwin
> also installs version 1.0.1f of the OpenSSL library, which is vulnerable
> to the Heartbleed bug.
Please don't spread misinformation. If you suspect an issue, *ask a
question* instead of making seemingly definitive statements.
I'm going to guess (since you didn't specify what your "simple script"
was) that you ran something like:
$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1f 6 Jan 2014
OPENSSL_VERSION is a compile-time constant[1]:
> OPENSSL_VERSION
> Version of OpenSSL the ruby OpenSSL extension was built with
IOW, all this tells you is that the (bundled) openssl extension was
compiled against 1.0.1f, which is true but irrelevant. What is relevant
is that it is dynamically linked against openssl:
$ /bin/ldd /usr/lib/ruby/1.9.1/x86_64-cygwin/openssl.so | grep -v
$(cygpath -W)
cygruby191.dll => /usr/bin/cygruby191.dll (0x4738c0000)
cygcrypt-0.dll => /usr/bin/cygcrypt-0.dll (0x442db0000)
cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000)
cygcrypto-1.0.0.dll => /usr/bin/cygcrypto-1.0.0.dll (0x3eed10000)
cygz.dll => /usr/bin/cygz.dll (0x3c0f60000)
cygssl-1.0.0.dll => /usr/bin/cygssl-1.0.0.dll (0x3cb7d0000)
And therefore one simply needs to check the currently installed version
of openssl:
$ cygcheck -c libopenssl100
Cygwin Package Information
Package Version Status
libopenssl100 1.0.1g-1 OK
$ openssl version
OpenSSL 1.0.1g 7 Apr 2014
$ ruby -rfiddle -e 'puts
Fiddle::Function.new(DL.dlopen("cygcrypto-1.0.0.dll")["SSLeay_version"],[Fiddle::TYPE_INT],Fiddle::TYPE_VOIDP).call(0)'
OpenSSL 1.0.1g 7 Apr 2014
If your installation is current, these will be your results, and your
Cygwin installation is NOT vulnerable to CVE-2014-0160.
Yaakov
(Cygwin ruby maintainer)
[1]
http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL.html
(or install ruby-doc and run 'ri OpenSSL')
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |